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Preface 



This volume represents the refereed proceedings of the 7th International Con- 
ference on Finite Fields and Applications (Fqr) held during May 5-9, 
2003, in Toulouse, France. The conference was hosted by the Pierre Baudis Con- 
gress Center, downtown, and held at the excellent conference facility. This event 
continued a series of biennial international conferences on Finite Fields and Ap- 
plications, following earlier meetings at the University of Nevada at Las Vegas 
(USA) in August 1991 and August 1993, the University of Glasgow (UK) in 
July 1995, the University of Waterloo (Canada) in August 1997, the Univer- 
sity of Augsburg (Germany) in August 1999, and the Universidad Autonoma 
Metropolitana-Iztapalapa, in Oaxaca (Mexico) in 2001. 

The Organizing Committee of consisted of Claude Carlet (INRIA, Paris, 
France), Dieter Jungnickel (University of Augsburg, Germany), Gary Mullen 
(Pennsylvania State University, USA), Harald Niederreiter (National University 
of Singapore, Singapore), Alain Poli, Chair (Paul Sabatier University, Toulouse, 
France), Henning Stichtenoth (Essen University, Germany), and Horacio Tapia- 
Recillas (Universidad Autonoma Metropolitan-Iztapalapa, Mexico). 

The program of the conference consisted of four full days and one half day 
of sessions, with eight invited plenary talks, and close to 60 contributed talks. 

Finite fields have an inherently fascinating structure and they are impor- 
tant tools in discrete mathematics. Their applications range from combinatorial 
design theory, finite geometries, and algebraic geometry to coding theory, cryp- 
tology, and scientific computing. A particularly fruitful aspect is the interplay 
between theory and applications which has led to many new perspectives in 
research on finite fields. This interplay has been a dominant theme in earlier 
Fq conferences and was very much in evidence at FgT. Applied or applications- 
oriented topics accounted for a significant part of the program. 

These proceedings reflect the wide variety of topics represented at the con- 
ference. Most invited talks and a good proportion of the contributed talks 
are on permanent record here. All contributed talks were screened before the 
conference and all full papers were carefully refereed. We would like to take 
this opportunity to thank the members of the Organizing Committee and all 
referees who helped in these tasks. These colleagues contributed enormously to 
the quality of the conference presentations and to guaranteeing high standards 
for these proceedings. 

We greatly appreciate the generous financial support received for the confe- 
rence. A fair portion of the funds was provided from the AAECC Lab. (Applied 
Algebra and Error Correcting Codes) of Alain Poli. 
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Preface 



Regarding the present proceedings, we thank very much Prof. Yves Soulet 
(Irsamc, Paul Sabatier University, Toulouse, France) for his remarkable work in 
arranging the proceedings volume. We also thank Alfred Hofmann of Springer- 
Verlag who gave us the opportunity to publish this volume with a top publisher 
and in an attractive form. Working with him and Anna Kramer at Springer- 
Verlag has been a pleasure. 

Finally, we are pleased to confirm that the Fq series will continue with in 
Puerto Rico in August 2005. We expect another lively and stimulating meeting 
there, which should, like the previous conferences, serve as an important meeting 
place for theoretical as well as applied aspects of finite fields. We hope to see 
you there! 



December 2003 Gary L. Mullen 

Alain Poli 
Henning Stichtenoth 
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National University of Singapore 
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Singapore 119260 
tslmwSnus . edu. sg 

^ Johann Radon Institute for Computational and Applied Mathematics, 
Austrian Academy of Sciences, c/o Johannes Kepler University Linz, 
Altenbergerstrafie 69, 4040 Linz, Austria, 
arne . winterhof Ooeaw . ac . at 



Abstract. We extend a result of Ding and Helleseth on the autocor- 
relation of a cyclotomic generator in several ways. We define and ana- 
lyze cyclotomic generators of arbitrary orders and over arbitrary finite 
fields, and we consider two, in general, different dehnitions of autocorrela- 
tion. Cyclotomic generators are closely related to the discrete logarithm. 
Hence, the results of this paper do not only describe interesting crypto- 
graphic properties of cyclotomic generators and their generalizations but 
also desirable features of the discrete logarithm. 



1 Introduction 



Let (s„) be a g-periodic sequence over the residue class ring Z^. The autocorre- 
lation of (s„) is the complex- valued function defined by 

1 

Ad(g,t) := l<t<q-l, (1) 

^ n=0 



where Sd = The autocorrelation measures the amount of similarity 

between the sequence (sn) and a shift of (s„) by t positions. If (s„) is a random 
sequence over Zd of period q then \Ad{q, t)| can be expected to be quite small for 
all values 1 < t < q — 1. The security of many cryptographic systems depends 
upon the generation of pseudorandom, i. e., unpredictable quantities and a low 
autocorrelation is a desirable feature for pseudorandom sequences. 

Let <7 be a prime power, 7 a primitive element of the finite field of q 
elements, and d > 1 a divisor of g — 1. The cyclotomic classes of order d give a 
partition of F* := F, \ {0} defined by 

Do := {7*'^ : 0 < i < (g — l)/d — 1} and Dj := Dq, I < j < d — 1. 
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We order the elements of Fg = {^o> , C9-1} in the following way, 

■= niPi + n2/?2 + ■ • ■ + UrPr 

if 

n = Til + U 2 P + . . . + rirp''~^ , 0 < ni, n2 , . . . , < p — 1, 

where q = p^ , p is the characteristic of ¥q, and {/3i, /?2, • ■ • , Pr} is a basis of 
over Fp. We consider the g-periodic sequence (s„) over defined by 

, <d-l,l<n<q-l, , . 

\0, ifn = 0, ^ > 

and Sn+q = Sn, n > 0. For r = 1 this sequence is called cyclotomic generator of 
order d. In this case the autocorrelation is 

A,{p,t) = {-l + e^, + er-^)/p, (3) 

if t G Dj and —1 G Di. See [8, Theorem 5] (see also [4, Chapter 10.3]) for a proof 
of the case d= 3. For r > 1 we prove an upper bound on |Ad(<7, f)| of the order 
of magnitude q~^^^ log{pY~^ in Section 3, where the implied constant depends 
on r only. 

Although this result is weaker it is also of high interest because of the close 
relation of the sequence (s„) to the discrete logarithm in F^. The discrete loga- 
rithm (or index) ind.^(^) of an element ^ G F* is the unique integer I with ^ = 7* 
and 0 < I < q — 2. With the convention ind.y(0) := g — 1 we have 

s„ = ind^,d(^„), 0 <n<g-l, 

where ind.^.d(^) denotes the residue class of ind.y(^) modulo d. Many crypto- 
graphic systems as the Diffie-Hellman key exchange depend on the intractability 
and unpredictability of the discrete logarithm (see e.g. [20]). 

Moreover, we introduce a slight modification of the autocorrelation which 
might be better suited for the sequences (s„) when r > 1 and coincides with (1) 
when r = 1, 

A®(g,f) := -^4" 0<t<q-l, (4) 

^ n=0 

where n 0 1 := fc if and only if + = ^k- Now the analogue of (3) for A® {q, t) 

holds true. We prove this result in Section 2. We also consider the sequences 
(s„) defined by 

Sji . — ind^^m (C?^) 5 0 ri "A: q 1, (5) 

and Sn+q = Sn, n > 0, where m is not a divisor of g — 1. We reduce this general 
case to some extent to the case of divisors of q — 1. For the most interesting 
partial case m = q we get 

\Af{q,t)\<- + \Af_Yq,t)\<^-^ 
q ^ q 
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and 

o_ 

|Ag(g,f)| < h \Ag_i{q,t)\ = 0{q~^^'^log{pY~^). 

q 

Finally in Section 4, we prove similar results for parts of the period, i.e., 
upper bounds on the aperiodic autocorrelation. 

2 Exact Autocorrelation Values 

In this section we prove (3) in the following slightly more general form. Although 
the result is known [9, Theorem 7] we are not aware of a reference for the following 
short proof and present it here for completeness. 

Theorem 1. Let q be a prime power and d > 1 be a divisor of q — 1. For a 
sequence of the form (2) and A® {q, f) defined by (4) we have 

A®(g,f) = i-i + e^^ + eX~Y/q, 

if € Dj and —1 G Di. 

Proof. By definition we have 

qA®{q,t) = + 

n=0 ^=1 

n t=0 

Verify that 

Xd(?n):=4”. ^<n<q-l, 

is a nontrivial multiplicative character of Fg. We use the convention Xd(0) := 0. 
Thus with [11, Lemma 7.3.7] we have 

q-l q-l 

e^" = Xl>^d(Cn + 6)Xd^(?n) = -1, 

n=l n—0 

n t=0 

where we used fnm = ■?« + 6- n 

3 Bounds on the Autocorrelation for Arbitrary Finite 
Fields 

In this section we establish upper bounds on the autocorrelation AYq,t) for a 
sequence of the form (2) over arbitrary finite fields. In the case of a prime field 
Theorem 1 yields the exact value. 

Theorem 2. Let q be a prime power and d > 1 be a divisor of q — 1. For a 
sequence of the form (2) we have the following upper bound on the autocorrelation 
Ad{q,t), 

\Ad{q,t)\ = 0(g-i/2(logp)^-i), l<t<q-l, 
where the implied constant depends on r only. 
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Proof. For 0 < t, n < g — 1 let 



t — + t2P + . . . + tj.p^ ^ , 0 < , t2) ■ • ■ ) ^ P — 1; 

and 

n = Til + ri 2 P + . . . + rirp''~^ , 0 < ni,ri 2 , . . . , < p — 1, 

be the p-adic expansions of t and n, respectively. Put w\ := 0 and define for 
1 < i < r recursively 



f 1, if ti + n^ + Wi> p, 
\ 0, otherwise. 



Then we have 



n + t = Zi + Z2P + . . . + ZrP^ 0 < Zi, Z2, ■ ■ ■ , Zr < p — I, 



with 



Zi = ti + rii + Wi- Wi+ip, 1 < i < r, 



and 



fn+t — fn + 



where 

r 

oj = 

1=1 

Note that for fixed t we have at most 2'’“^ possible choices for w and the sets 

P^j G lF(j '■ fn+t = + Ct T 

define a partition of Fg. For fixed W 2 , . ■ . ,Wr G {0, 1} the set can be written 
in the form 



where 



Puj = ^ a + '^Ujf3j : 0 < Uj < kj - I, j = I, ... ,rj , 
i=i 



1 



= (p- (tj 



p - {tj + Wj), Wj+i = 0, 1 < j < r, 
kj = { tj + Wj, Wj+i = 1, 1 < j < r, 



P, 



J = r. 



and 
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Now the autocorrelation of (s„) can be estimated, 

q\ACd{q,t)\ ( 6 ) 

< 2 + ^ xd(C + 6)Xd ^(5) + X/ X/ + 6 + “^) - Xd(C + 6))Xd 

<3+^ j ^ Xd(^ + 6 + <^)Xd ^(?) + Xd(C + it)Xd^{0 

uj^o \ ?eP„ 

With the method of Polya and Vinogradov and Weil’s bound (see [ 6 , 27-30]) we 
can prove that the absolute values of the inner sums are smaller than 

2gi/2(l + log(p))’-b (7) 

Hence, we have 

|A,(g,t)| <(3 + 4(2’'-! -l)gi/2(l + log(p))’-i)/g ( 8 ) 

and the result follows. For the convenience of the reader we add the most impor- 
tant steps for the deduction of the upper bound (7). For more details we refer 
to [6,27-30]. From 

Xd{i + 6 + ‘^)Xd ^(6 = - XI + ‘^)Xd ^(C) X 

® C 6 F 9 




we get 

X + 6 + “^(Xd He) 

< - X X + 6 + t^)Xd Hc)V’(-» 7C) X !^ne) 

® r;eF, C6F, 

<^X X^/'(!?^) 

176F, ?6Po. 

by Weil’s Theorem, where ip denotes the additive canonical character of Fg. Now 
we have 



X !^ne) 

CePc 



n X < p min f kj, 

i=i «j=o j=i ^ 



sin(Tr(? 7 / 3 j) 7 r/p) 



if Tr(p/?r) = 0, where Tr denotes the absolute trace of F,. Otherwise this sum 
vanishes since kr = p- Now the mapping 77 (Tr(jiPi), . . . ,Tr{rjf3r)) is a bijec- 
tion. Hence, we get 
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which yields the desired upper bound. 



□ 



Remark: Equation (6) can be easily modified to give an exact relation between 
Ad(gr,t) and A®(g,t), 

kd{q,t) = A®(g,t) 

+“ '^ + X/ (xrf(C + 6 + ^) ~ Xd{j + &))xd^(0 




if G Bj, —1 e Di, and G Dk- For r = 1 both values coincide and (8) 
yields the better bound 0{q~^). 

Defining the sequence (2) we presupposed that the modulus d is a divisor of 
q — 1. Now we drop this condition and consider the sequences (s„) defined by 
(5) over Z„ for an arbitrary integer m. For several moduli m that are close to a 
sufficiently large divisor d of q — 1, we can establish nontrivial upper bounds on 
the autocorrelation Am{q,t) of the corresponding sequence. 



Corollary 1. Let m > I he an integer. Then we have 



|A®fet)|< 



min 

dl(<, 1) 

d>l 



27r|m — d\{q— 1) 
md 



3 

q 



and 

|A^(g,t)| < min ~ ~ + 0(g-^/^log(p)-^), 

‘iK'i 1 ) md 

d>l 

where the implied constant depends on r only. 

Proof. We write e(u) = g c for real u and efc(u) = e{u/k) for an integer 

k. We have for x with |a;| < g — 1, 

|m — d||x| ^ \m — d\{q — 1) 
dm ~ dm 




Since 
we have 



Hence, 



|e('u) — 1| = 2|sin(7rM)| < 27 t|'u| for real u, 
27r|m — d\{q — 1) 



\e^{x) - ed(x)\ < 



dm 



q\A^{q,t)\ 



q-1 

n—0 



< 



q-1 

^ ^ (^m (^n+t ) ^^^7(^71)) ^(^(^^^7(^7),+^) 

71 = 0 



ind^(^n))) 





4 Aperiodic Autocorrelation 

In the previous sections we restricted ourselves to autocorrelations over the full 
period. Similar results for parts of the period are also cryptographically impor- 
tant and reflect local randomness. Actually for the generation of stream ciphers 
only a small part of the periodic sequence is used. The aperiodic autocorrelations 
AA®(g,t , u, v) and AAd{q, t,u,v), 0 < u < v < q — 1, can be defined by 

1 

AA® {q, t,u,v) := , l<t<q-l, 

^ n—u 

and 

1 " 

AAd(g,t,w,u) := - V 4”’^* l<t<q-l, 

q 

n—u 

respectively. The character sum bounds of [22, 29, 31] yield nontrivial results on 
the aperiodic autocorrelations. For finite prime fields and fixed t the estimates 
of [3] can also be applied but the implied constant depends on t. See also [21] 
for an improvement. Without any restrictions on q and t we get the following 
result. 

Theorem 3. Let q be a prime power and d > 1 be a divisor of q — 1. For a 
sequence of the form (2) and for 0<u<v<q— 1 we have 

AA®{q,t,u,v) = 0(g"^/^logg), l<t<q-l, 

where the implied constant is absolute. 

Proof. We have 

V 

q\AA®{q,t,u,v)\ <2+ ^ Xd(^n + 6)Xd ^(?n) < 2 + 2q^/‘^{l + logq) 



n—u 
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by [29, Theorem 3]. □ 

We can also prove an analog for AAd{q,t,u,v). 

Theorem 4. Let q he a prime power and d > 1 be a divisor of q — 1. For a 
sequence of the form (2) and for 0<u<v<q— 1 we have 

AAd{q, t, u, v) = 0{q~^^‘^{logpY), l<t<q-l, 

where the implied constant depends on r only. 

Proof. We may assume r > 2. As in the proof of Theorem 2 we can express 
AAd{q, t, u, v) in terms of character sums of the form 

Xd{^ + 6 + ‘^)Xd 



where 











p' = 


- Pu) 


...,eh- 


We 


split 


in 2r - 


- 1 


boxes. 










G 


P' 


hi = Vi 




, Ur = Vr, Ui-I < Vi-I - 1}, 




= 


{Cn G 


P' 


hi = Ui. 


t ^Z+1 • ■ • 


, Ur = Ur, Ui-i > Ui-i + 1}, 


for 


z = 3 , 4, . 













and 



V2,UJ = {Cn e PL\n2 = V2,ns = V3, . . . ,Ur = Wr}, 

U2,u, = {Cn € Pi\u2 = U 2 ,ns = ^ 3 , . . . , n^- = Ur}, 



Ru = G P},|Ur + 1 < nr < Ur - 1}. 

Now each character sum over and R^, respectively, can be estimated 

by 

2gi/2(logp)’' 



and the result follows. 



□ 



5 Final Remarks 

The cyclotomic numbers {i,j)d of order d are defined by 

ihj)d = \{Di + 1 ) n Dj\, 0 < i,j < d- 1 . 

(For a monograph on cyclotomic numbers see [1].) The proof of [8, Theorem 5] 
for A^i^qR) depends on the knowledge of the cyclotomic numbers of order 3. It 
can be extended to Ad{q,f) whenever the cyclotomic numbers of order d are 
known. In particular for d = 2 and q = p a, prime Theorem 1 follows already 
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from the result of [23] (see also [28]). Here, we used the observation that the 
result does not depend on the knowledge of the cyclotomic numbers. 

In contrast to Theorem 2 the result of Theorem 1 does not depend on the 
special choice of the ordering n = 0,1,. ..,<7 — 1, of the elements of Fg. 

Besides the autocorrelation, the linear complexity and the linear complexity 
profile are important measures for the randomness of sequences. For r = 1 and 
d a prime divisor of g — 1 in [7, 8] exact values for the linear complexity of the 
sequence (2) have been provided. In [18] lower bounds on the linear complexity 
of the sequence (2) for the general case were deduced. For lower bounds on the 
linear complexity profile see [12,24,25,32]. Related sequences over F^, where d 
is a prime power divisor of q — 1, were investigated in [5]. 

The autocorrelation of similar sequences was determined in [14, 17,26]. The 
generalized Sidelnikov sequences (an) are the q — 1 periodic sequences defined by 

o-n = Xd(7” - 1), n = 0,1 ,...,< 7-2. 

Equivalently, we can define q — 1 periodic sequences (s„) over by 

s„ = ind..,_d(7” - 1), n = 0,1, . . . ,q - 2. 

First results on the linear complexity of these sequences in the binary case can be 
found in [10, 13]. Although Sidelnikov sequences and the sequences investigated 
in this paper look very similar at first glance, the latter sequences have some 
advantages. For large p and r > 1 we have two nice pseudorandom properties. 
Theorems 1 and 2, and the ordering n = 0, 1, . . . , <7— 1, can be faster generated 
than the ordering 7" — 1, n = 0, 1 , . . . , g — 2. 

Theorem 2 yields nontrivial bounds only if the characteristic p is sufficiently 
large. Theorem 1 indicates that we have also good randomness properties in the 
case of small characteristic. However for some special choices of t our method also 
yields nontrivial bounds on Ad(q,t) in the case of small characteristic p, where 
if 73 = 2 the sets are cosets of subgroups and a slightly better estimation can 
be performed involving some results of [29,30]. It remains a challenging open 
problem to find a nontrivial upper bound on Ad(q, t) for small characteristic and 
all t, as well. 

The lower bounds on the linear complexity profile and the upper bounds on 
the autocorrelation confirm that the cyclotomic generator has good randomness 
properties. Because of the close relation of the sequence (2) to the discrete log- 
arithm in Fq the good randomness properties also support the assumption of 
the intractability and unpredictability of the discrete logarithm, and thus of the 
hardness of the discrete logarithm problem. 

Although for several cryptographic applications just the cases q = p and 
g = 2’’ are important also the case that q = p^ with small r > 1 and large p 
has gained increasing interest. In particular the elliptic curve discrete logarithm 
problem (see e. g. [2,19]) and the XTR discrete logarithm problem (see [15,16]) 
can be reduced to the discrete logarithm problem in a finite extension field. 
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Abstract. We examine the structure of the Weierstrass semigroup of an 
m-tuple of points on a smooth, projective, absolutely irreducible curve 
X over a finite field IF. A criteria is given for determining a minimal 
subset of semigroup elements which generate such a semigroup where 
2 < m <1 IF |. For all 2 < m < g + 1, we determine the Weierstrass 
semigroup of any m-tuple of collinear IF ,^ 2 -rational points on a Hermitian 
curve y'^ + y = . 



1 Introduction 

Let A be a smooth, projective, absolutely irreducible curve of genus 5 > 1 over 
a finite field F. Let F(A) denote the field of rational functions on X defined 
over F. The divisor of a rational function / G F(X) will be denoted by (/) and 
the divisor of poles of / will be denoted by (/)oo- 

Given m distinct F-rational points Pi, , Pm on X, the Weierstrass semi- 
group H{Pi, . . . , Pm) of the m-tuple (Pi, . . . , Pm) is defined by 

H{Pi, . . .,Pm) = |(q:i, . . .,am) G IN™ : 3/ G F(A) with (/)oo = , 

and the Weierstrass gap set G(Pi, . . . , Pm) of the m-tuple (Pi, . . . , Pm) is defined 
by 

G(Pi, . . . , P^) = IN™ \ P(Pi, . . . P„), 

where INq := IN U {0} denotes the set of nonnegative integers. If m = 1, the 
Weierstrass gap set is the classically studied gap sequence. In [I], the authors 
generalized the notion of the semigroup of a point to the semigroup of a pair of 
points on a curve. This study was carried on by S. J. Kim [7] and M. Homma [5]. 
The Weierstrass gap set of an m-tuple of points where m > 2 has been examined 
by E. Ballico and Kim [2], and more recently, by G. Garvalho and F. Torres [3]. 
Weierstrass gap sets play an interesting role in the construction and analysis 
of algebraic geometry codes (see [4], [9], [6], [3]). While | G(Pi) |= g for any 
F-rational point Pi on X, the cardinality of the set G(Pi, . . . , Pm) where m > 2 
depends on the choice of points Pi, ... , Pm [!]• However, any pair of F^2 -rational 
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points on a Hermitian curve y® + y = has the same Weierstrass semigroup 
[9]. The analogous result does not hold for triples of -rational points on a 
Hermitian curve [10]. 

In this paper, we consider the notion of a minimal generating subset of a 
Weierstrass semigroup of an m-tuple of points on an arbitrary (smooth, projec- 
tive, absolutely irreducible) curve over a finite field IF. In Section 2, we discuss 
properties of minimal elements of the Weierstrass semigroup. This section con- 
cludes with a useful characterization of the elements of the minimal generating 
set of the Weierstrass semigroup of an m-tuple of points for 2 < m < |F|. 
An interesting application of this is found in Section 3 where we see that any 
m-tuple of collinear lFq 2 -rational points on a Hermitian curve + y = 
has the same Weierstrass semigroup. In addition, we determine this Weierstrass 
semigroup and its minimal generating set. 

2 Results for Arbitrary Curves 

Let A be a smooth, projective, absolutely irreducible curve of genus y > 1 
over a finite field F. Fix m distinct F-rational points Pi, , Pm on X, where 
2 < m < |F|. For 1 < I < m, set Hi := H{Pi , . . . , Pi). Define a partial order ^ 
on IM™ by (ni, . . . , Um) ^ {pii ■ ■ ■ ^Pm) if and only if rii < pi for alH, 1 < i < m. 
It is convenient to collect here two results from [3] that will be used in this 
section. 

Lemma 1. [3] If (ni, . . . , n„), (pi, . . . ,p„) e Hm and Uj = pj for some j, 
1 < j < m, then there exists q = {qi, . . . ,qm) G Hm whose coordinates satisfy 
the following properties: 

1. q^ = max{ni,pi) for i yf j and Ui^Pi. 

2. qt < Ui for i yf j and ni = pi. 

3. qj = Uj = 0 or qj < Uj . 

Lemma 2. [3] Suppose that there exists i, \ < i < m, such that (ni, . . . , Um) is 
a minimal element of the set {p G Hm '■ Pi = ni} with respect to If ni > 0 
and Uj > 0 for some j, 1 < j < m, j yf i, then ni G G{Pi). 

Proposition 3. Let n G IM™. Then n is minimal in {p G Hm : Pi = ni} with 
respect to ^ for some i, 1 < i < m, if and only if n is minimal in the set 
{p G Hm : Pi = ni\ with respect to ^ for all i, 1 < i < m. 

Proof. Suppose n G IN'" is minimal in {p G Hm '■ Pi = Ui} with respect to ^ for 
some z, 1 < f < m. Without loss of generality, we may assume that z = 1. Suppose 
there exists j, 2 < j < m, such that n is not minimal in {p G Hm : Pj = Uj}. 
Then there exists v G Hm such that v ^ n, v yf n, and Vj = Uj. Note that 
v\ < n\ as otherwise v G {p G Hm '-Pi = ni \ contradicting the minimality of n. 
Applying Lemma 1, we see that there exists q G Hm with qi = n\, qj < nj, and 
qi < Hi for all 1 < z < m. Thus, q ^ n, q yf n, and q G {p G Hm ■ Pi = zzi}. 
This contradicts the minimality of n G {p G Hm '-Pi = zzi}. Thus, n is minimal 
in {p G Hm '■ Pj = nj} for all j, 1 < j < ztz. 
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Using these ideas, we set out to describe a subset of Hm that generates the 
entire semigroup Hm- To begin, set = H{Pi), the Weierstrass semigroup of 
the point Pi. For 2 < I < m, define 

r^-= {n G IN* : n is minimal in {p G iJ; : = n^} for some i,l < i < 1}. 

The notion of P^ is due to Kim [7]. As an immediate consequence of Proposi- 
tion 3 and Lemma 2, we obtain the following result. 

Lemma 4. For 2 < I < m, F+ C G{Pi) X • • • X G{Pi) . 

Using T+, we will now describe a subset Fi of Fli for 1 < I < m. First, set 
Fi = F^ = H{Pi). For 2 < I < m, define 

p _ r+ul ^ ^0 ■ for some {U, . . .,im} = {1, . . . ,m} 1 

* \ such that ii < • ■ ■ < ik and = . . . = =0 j 

Clearly, Fm is completely determined by {Fj^ '■ 1 < I < m}. 

Example 5. Consider the curve defined hy + y = over Fg 4 . Let Pi = Poo 
denote the point at infinity and P 2 = Pqo denote the common zero of x and y. 
It is well known that the Weierstrass gap set of the point Pi (and P 2 ) is 

1 2 3 4 5 6 7 

10 11 12 13 14 15 

19 20 21 22 23 

28 29 30 31 

37 38 39 

46 47 

55 

Equivalently, the Weierstrass semigroup of the point Pi is the additive subsemi- 
group of INq generated by 8 and 9; that is, P(Pi) = (8, 9) := {8a-|-96 : a, 6 G INq}. 
Hence, Pi = (8,9). According to [9], 

r (1, 55), (2,47), (3, 39), (4, 31), (5, 23), (6, 15), (7, 7), (10,46), ) 

+ ^ I (11, 38), (12, 30), (13, 22), (14, 14), (15, 6), (19, 37), (20, 29), I 
"2 W 2 I, 21), (22, 13), (23, 5), (28,28), (29, 20), (30, 12), (31,4), ( 

[ (37, 19), (38, 11), (39, 3), (46, 10), (47, 2), (55, 1) J 

Then 

P 2 = P+U{(n,0),(0,n):nG (8,9)}. 

We will show that Pm generates Flm by taking least upper bounds. Given 
Ui, . . . , ui G IN™, define the least upper bound of Ui, . . . , ui by 

lubjui, . . . ,ui| = (max{Mi^, . . . ,uq|, . . . ,max{Mi^, . . G IN™ 

In [7], Kim proved that P 2 = {lub{ui,U 2 } G INq : Ui,U 2 G P 2 }. To obtain a 
similar result for Pm where to > 3, we use the next fact which follows immedi- 
ately from [3]. 
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Proposition 6. Suppose that 1 < I < m < |F| and ui,...,ui S Hm- Then 
lubjui, . . . ,ui} e Hjn- 

Proof. Let q 2 := lub{ui,U 2 }. For 3 < i < I, define qi := lub{qi_i, Uj}. Accord- 
ing to [3], q 2 S Hm- Repeated application gives qi G Hm for all i G {2,. ■ ■ ,1}- 
This completes the proof as lub{ui, . . . , Ui} = qi G Hm- 

Theorem 7. // 1 < m < |F|, then 

Hm — {Inb {Ui , . . . , Um} G INg : Ui , . . . , Uj;^ G Pmf\ ■ 

Proof. The fact that {lub {ui, . . . , Um} G IN™ : Ui, . . . , G Pm} C Hm follows 

from Proposition 6. 

Suppose n G Hm \ Pm- Without loss of generality, we may assume that 
n G IN™. (Otherwise, G IN^ for some m} 

such that ii < • ■ • < ii and = . . . = = 0, and the same argument 

applies to )). Then, according to Proposition 3, n is not minimal in 

{P G Hm : Pi = Ui} for any z, 1 < t < m. Hence, there exists U; G Pm with 
Uii = Ui, Ui ^ n, and Ui yf n for each i, 1 < z < m. Then n = lub{ui, . . . , Um}, 
completing the proof. 

According to Theorem 7 and the definition of Pm, the Weierstrass semigroup 
Hm is completely determined by {Pj^ ■ ^ < I < m}. We conclude this section 
with a useful characterization of elements of the sets Pj^ , 1 < Z < m. To do this, it 
is helpful to consider dimensions of certain divisors. For a divisor H on A defined 
over F, let L{D) denote the set of rational functions / G F(A) with divisor 
(/) > —D together with the zero function. Then L{D) is a finite dimensional 
vector space over F. Let 1{D) denote the dimension of the vector space L{D) 
over F. The Riemann-Roch Theorem states that 1{D) = deg D+l—g+l{K—D), 
where K is any canonical divisor on X. This gives a characterization of elements 
of the Weierstrass semigroup of an m-tuple (Pi, . . . , Pm) according to dimensions 
of divisors supported by the points Pi, ... , Pm. This is an easy generalization of 
a lemma due to Kim [7]. 

Lemma 8. For (ai, . . . , am) G IN™, the following are equivalent: 

(i) (oi , . . . , am) G H(^P \ , . . . , Pm) • 

(ii) KYh= 1 = K{oij - ^)Pj + Yh= 1,%^3 ^iPi) + ^ )’ 1 < J < ’TZ. 

Proposition 9. Let 1 < / < m <| F | and n G IN^ Then n G P(^ if and only 
if n e Hi and l{Y)]=i{nj ~ l)Pj) = l{{nk ~ l)Pfc + for all k, 

l<k<l. 

Proof Suppose n G P;+. If /(Ej^iK' “ ^)Pj) K(nk ~ l)Pfc + ^jPj) 

for some k, 1 < k < I, then there exists ~v € Hi with v ^ n, Ufe < — 1, and 

Vf = nt for some t, 1 < t < 1. This contradicts the assumption that n is minimal 
in {p G Pi : pt = nj. Thus, Z(Ei=iK' “ ^)Pj) = K(nk ~ 1)-Pfc + Ej=i.i 5 ^fc ^t^t) 
for all fc, 1 < k < 1. 
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Suppose ne Hi and “ l)^i) = “ l)^fe + Y!j=i,j^k ’^jPj) 

all fc, 1 <k <1. This implies 



/ 



L |^(m - l)Pi + Y^njP^ 



\ 



= L - 1)P, = 



i=i 



{uk - l)Pk + ^ rijPj 
i = 1 

V i / 



/ 



for all fc, 1 < fc < I, as L{Yfj=i{nj - l)Pj) C L{{nk - l)Pk + Z)i=i 
If n ^ Pj^ , then there exists u G Hi with mi = ni, u ^ n, and u n. In 
particular, Uk < Uk for some k, 2 < k < 1. Thus, there exists a rational function 
/ G L{{uk - l)Pk + J2‘j=i,j^k such that / ^ L((m - l)Pi + J2‘j=2 '^jP]), 
which is a contradiction. 



3 Computation of H{Pi, . . . , Pm) for Collinear Points 
Pi, , Pm on a Hermitian Curve 

In this section, we restrict our attention to the curve X defined hy y'^ + y = 
over Fg 2 . Given a, 6 G with W + b = let Pab denote the common zero of 
x — a and y—b. Fix a G F^ 2 . Then there are exactly q elements 62 , ... , 6 g+i G F ^2 
such that bl + bi = a«+^ Set P^ = P^,P 2 = Pab^^Ps = Pab^, ■ ■ ■ , P 9+1 = Pab^+i- 
For 1 < TO < g + 1, let Hm ■= H{Pi , . . . , Pm)- We set out to determine Pm for 
all 1 < TO < (7 + 1 . 

Notice that the divisors of cc — a and y are given by 

g+1 

(x - g) = Pab^ - qPoo and (y) = {q + l){Poo - Poo)- 

i-2 

It will also be useful to consider functions habi '-= y — bi — a‘^{x — a) where 
2 < t < <7 + 1. Note that the divisor of habi is given by 

(habi) = (<7 + l)(Pobi ~ Poo) 

(see [ 8 ]). Using the functions x and y and the fact that X is a curve of genus 
one can check H{Pi) = {q,q+ 1) and that the Weierstrass gap set G(Pi) 
is 

1 2 ••• q-2 q-1 

((7+l) + l (<7 + 1) + 2 • • • (<7 + 1) + ((7 — 2) 



(9 ~ 3)((7 + 1) + 1 (g — 3)(g + 1) + 2 

(9 ~ 2)(g + 1) + 1 

In fact, the above set is the Weierstrass gap set of any F^ 2 -rational point on X. 
Given a G G{P) where P is any IF^ 2 -rational point, a can be written uniquely 
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as a = (t — j)(g + 1) + j with l<j<t<q — 1. Here, j denotes the column 
containing a and t denotes the diagonal containing a in the above diagram. 
From above, = H{Pi) = {q,q+ 1). According to [9, Theorem 3.7], 

= |((^1 - Mq + 1) + J, (t 2 - j){q + 1) + j) : } ■ 

To describe T+ for 3 < TO < <7 + 1, we must set up some notation. Given 
1 <TO <(7 + 1, t = (G, . . . ,tra) € IN'", and j S IN, define 

7tj := ((G - j)(9+ 1) + j, (^2 - j)(<7+ 1) + J, • ■ -Aim- j){q+l)+ j) G IN™- 
Notice that if 1 < j < ti < 9 — 1 for all 1 < f < to, then 



7tj G G{P\) X G{P 2 ) X • • • X G(Pm)- 

We next show that certain jtj form a generating set for the Weierstrass semi- 
group Hm- 

Theorem 10. Let a G Wg 2 and Pi = P^,P 2 = Pab^,Pz = Pab^, ■ ■ ■ ,Pq+i = 
Pabq+i be q + 1 distinct -rational points on the Hermitian curve X defined 
by + y = . For 2 < m < q-\- 1, 

..YZiU = q+{m-l){j-l), \ 

m ' 1 ^ ft J • I <£ j <£ ^ q _ I {qi oil I <£ I <£ IJI j ■ 

In particular, the Weierstrass semigroup H{Pi , . . . , Pm) is generated by 

f n G IN™ : (nil > • ■ • ) = lt,j G T+ and = ■ ■■ = = 0 

( for some I G IN and {ii, . . . , im} = {!> ■ • ■ , m} 

Proof. We begin by setting up some notation. For 2 < to < g -I- 1, set 

c .. E™i^. = <?+(™-i)(j-i). 1 

™ ' ■ l<j<ti<q — 1 for all 1 < t < TO j ’ 

For each 2 < f < g -|- 1, let ft-i := hab, G Fg 2 (A) be as above so that 

(hi) = {q + l)Pi — {q + 

Given v := (ui, . . . ,Vm) G Z™, let v+ := (wii, . . . ,Ui,) G IN* where i\ < ■ ■ ■ < ii 
and Ui > 0 if and only if f = A for some 1 < r < that is, v+ is the vector 
formed from v by deleting each coordinate of v containing a negative or zero 
entry. 

We will prove that T+ = Sm by induction on to. By [9, Theorem 3.7], 

P 2 = {7(ii.t2)j 'ti + t 2 = q + 3 - l,l< j <ti,t 2 <q-l} = S 2 , 

which settles the case where to = 2. We now proceed by induction on to > 3. 
Assume that F^ = Si holds for all 2 < I < to — 1. 
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First, we claim that Sm C r+. Let 7tj € Sm- Then 

i+U*3-i+i Ltm-j+i ) = 

^^3 • • • ^ 

Hence, 7 tj G i?m- 

In order to show that 7tj- G it suffices to prove that 7t,j is minimal in 
{p G iLm : Pi = (ti — j){q + 1) + j}. Suppose 7t j- is not minimal in 

{p G iLm : Pi = (ti - j)(g+ 1) +j}. 

Then there exists u G with ui = (ti — j){q+ 1) + j, u ^ lt,j, and u ^ 

Let / G Fq 2 (X) be such that (/)oo = wiPi + ••• + UmPm- Without loss of 
generality, we may assume that Um < {tm — j){q + 1) + j as u yf 7 tj- gives 
Ui < {U — j){q + ^) + j for some 2 < i < m and a similar argument holds if 
2 < i < m — 1. Hence, 




Um = {tm - j){q+ 1) + i - fc 
for some fc > 1. There are two cases to consider: 



(1) j > k. 

(2) J < k. 



Case (1): Suppose j > k. Then 

m—1 

ifhm~^{x - ay~'')^ = {{ti+tm-j-k){q+l)+k)Pi+Y^ ma.x{ui-{j-k),0}Pi. 



Therefore, 



V := ((ti + tm- j - k){q+ 1) + k,V2, ■ ■ • , Vm-l) G Hm-l, 
where Vi = max{t6i — {j — A:), 0} for 2 < i < m — 1. Set 

W 'y (^ti+tm-j,t2-j + l + k,t3-j + k,...,tm l~j + k),k- 



Clearly, 



V -< w. 



Note that 



W G Sm-l 



since ti+tm-j + t 2 ~j + l + k + Yli{{~ 3 ^{ti ~ j + k) = q + {m - 2){k - 1), 
A:<t 2 — j + l + A:<t 2 < 9 — lasj — A:>0, — j + fc<F<( 7 — 1 

for 3 < z < m — 1, and k<j<ti+tm— j^q— ^ (otherwise, ti < 

(to — 2){j — 1) < (to — 2)j). By the induction hypothesis, Sm-i = F^_d and so 



w 



G F+ 



- 1 - 
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By Proposition 3, w is minimal in {p € -ffm-i : Pi = {ti + tm— j — k){q+l) + k}. 
This leads to a contradiction as 

V G {p G Hm-i ■■ Pi = {ti + tm- j - k){q + 1) + k}, 

V ^ w, and 

V 7 ^ w. 

Case (2): Suppose j < k. Then 



m — 1 



{fk*m ^)oo “ ((^1 +im — + 1 ) + j)Pl + ^ UiPi 



i=2 



which implies that 

V := {{ti + tm- j - j){q+l) +j,U2, . ■ . € Hm-l- 

Note that there exists i, 2 < i < m — 1, such that ti < q — 1 since otherwise 
< ti + tm = q + {m — l)(j — 1) — {m — 2){q — 1) implies that 0 < 2 — m 
contradicting the assumption that m > 3. We may assume that t = 2 as a similar 
argument holds in the case 2 < i < m — 1. Set 

^ ■“ 1 (tl+tm-j,t2 + l,t3...,tm l),i' 



Clearly, 

V ^ w. 

Also note that 

w G 5^-1 

since ti + tm - J + ^2 + 1 + C = 9 + (w - 2)(j - 1), j < ta + 1 < 9 - 1 as 

^2 < <7 — 1, J < C < <7 — 1 for 3 < z < TO — 1, and j < ti + tm — j < <7 — 1- By the 
induction hypothesis, Sm-i = Cm-i> and so 

w G C+_i- 

By Proposition 3, w is minimal in {p G H^-i ■ Pi = (ti +tm ~ J ~ j)(9+ 1) + j}- 
This leads to a contradiction as 

V G {p G Hjn-i ■■ Pi = {h + tjn -j-j){q+ 1) +j}, 

V ^ w, and 

V 7 ^ w. 

Since both cases (1) and (2) yield a contradiction, it must be the case that 
7 ty is minimal in {p G Hm ■ Pi = {h - j){q + 1) + j}- 

Therefore, by the definition of T+, we have that 7 t,j G This completes 
the proof of the claim that 

<? r r+ 

»-’m ^ m- 

Next, we will show that T+ C Sm- 
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Suppose not; that is, suppose that there exists n S \ Sm- Then there 
exists / G F,j 2 (X) with pole divisor (/)oo = niP\ + • • • + timPm- By Lemma 4, 

n G r+ C G(Pi) X G(P2) X • • • X G(P^). 



Thus, 

n = {{h - jl){q + 1) + jl, (t 2 - J 2 )(g + 1) + J 2 , • ■ • , (tm - jm){q + 1) + jm) 

where l<ji<ti<q— 1 for all 1 < i < m. 

Without loss of generality, we may assume that jm = maxjji : 2 < i < m} 
as a similar argument holds if jV- = : 2 < i < m} for some 2 < r < m — 1. 

Then 

m— 1 

= {ni + {tm — jm + 1)(9 + l))T’l + n-iPi, 

1=1 

which implies that (ni + (tm~ jm + l)(<Z+l))tt 2 , ■ ■ • ,nm-i) G Hm-i- Then there 
exists u G Pm-i such that 

u ^ (ni + {tm - jm + l)(g+ l),n2, • ■ mlT-m-l) 

and U 2 = U 2 = {t 2 — ji){q + ^) + ji - If ui < n\, then (ui, . . . , Mm-i, 0) ^ n which 
contradicts the minimality of n in {p G Hm '■ Pi = n- 2 }. Thus, Mi > ni > 0. By 
the induction hypothesis, 

G S'; = P;+ 

for some I, 2 < I < m — 1, and some (T ;^, . . . ,Tij) and / satisfying 1 < j' < 
Tv < g - 1 for 1 < r < / and Tv = g + (/ - !)(/ - 1). 

Hence, there exists an index set {ii, . . . , im-i} = {1> ■ ■ ■ ,m — 1} such that 
T < *2 < • • • < */ and 

„ = /(Tv -/)(?+!)+/ if 1<^<^ 

to if Z + 1 < r < m - 1 ■ 

Since ui > rii > 0, = 1. Similarly, 12 = 2 because U 2 = n 2 yf 0. Since 

(T 2 -/')(<?+ 1) +/ = Wv =U 2 = {t 2 - ji){q + 1) +ji 

implies that (g + 1) | {j' —ji), we must have that / = j 2 as —{q— 1) < j' — ji < 
q — I . In addition, T 2 = t 2 - As a result, 

= 7(Ti,T2.Ti3„..,Ti,),i2> 

_ r (Tir - 32 ){q + 1) + /2 if 1 < r < Z 

to if Z + 1< r < m - 1 ’ 
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T\+T 2 + Ti^ + ■ ■ ■ + Ti^ = q+ {l—l){j 2 — 1), and j 2 < < g — 1 for all 1 < r < 1. 

At this point, we separate the remainder of the proof into two cases: 

(1) Ui — {tm — jm + l)(g + 1) > 0 

(2) Ui — (tm — jm + l)(g + 1) < 0 

Case (1): Suppose ui — {tm — jm + l)(g + 1) > 0. 

Since g + 1 1 j 2 , it follows that ui — {tm — jm + l)(g + 1) > 0. Set 

Notice that v ^ n since ui < ni + (tm— jm + l)(g+l), Ui < rn for 2 < i < m—1, 
and j 2 < jm = niaxjji '■ 2 < i < m}. We claim that v+ G Si+i. To see this, it is 
helpful to express v+ as 

^ T(Ti— tm+Jm — lT2T-i3 Jm+i2) J2 * 

It is easy to see that Ti-tm+jm-f+T 2 +Ti^-\ \-T^^+tm-jm+j 2 = q+l{j 2 ~f), 

Ti - {tm - jm) - 1 < Ti < g - 1, J 2 < < g - 1 for 2 < r < Z, and 

J2 < tm - jm + J 2 < tm < g - 1 as J 2 < jm- If Ti - tm + jm ~ f < j2, then 

Ml - (tm - jm + l)(g + I) = (Ti - j 2 - (tm ~ jm + l))(g + 1) + j 2 < 0 which is 
not the case. 

Thus, j 2 < Ti — tm + jm ~ 1, establishing the claim that v+ G Si+i. Since 
Si+i C C Hi+i, it follows that v G Tm C Hm- Now, v ^ n and n G T+ 
force n = V as otherwise n is not minimal in {p e Hm ■ P2 = M2}. Hence, 
I + 1 = m and n = v = v"*" G Sm, which is a contradiction. 

Case (2): Suppose that ui — {tm — jm + l)(g + 1) < 0- 
There are two subcases to consider: 

(a) ji < ti. 

{b) ji = ti. 



Subcase (a): Suppose ji < ti. Set 

V := ((ti-ji+j2-l-j2)(g+l)+j2,M2, ■ • ■ ,Mm-l, (Ti-ti+ji-j2)(g+l)+j2). 

Notice that v ^ n and v yt n since (ti — ji — l)(g+ 1) + j2 < (ti — ji)(g+ 1) < 
(ti - ji)(g + 1) + ji, Mj < Ui for 2 < z < m - 1, and ui < {tm ~ jm + l)(g + 1) 
implies that Ti — j2 <tm— jm which leads to (Ti — ti + ji — j2)(g + 1 ) + j2 < 
(tm - jm)(g + 1) + jm as j2 < jm- The fact that ji < ti gives v+ G We 

claim that v+ G S'z+i- To see this, it is helpful to express v+ as 

^ T(tl— il+j2 — l,T2,Ti3,...,Ti, ,Ti— ti+ji),j2 - 

It is easy to see that ti - ji + j2 - 1 + T2 + Ti^ + ■ ■ ■ + Ti^ + Ti - ti + ji = 
g + l{j2 - 1 ), j2 < < g - 1 for 2 < r < I, j2 < ti - ji + j2 - 1 as ji < ti, and 

2 j — (ti — ji) < g — 1 - In order to conclude that v+ G S'z+i, it only remains to 
show that ti— ji+j2 — 1 < g — 1 and j2 < Ti — ti+ji. It suffices to show that j2 < 
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Ti—t\ +ji since this implies that j2 < <? — (^i —ji) and so — ji+ j2 — 1 < 9 — 1- 

Ifj2 > Ti -ti+ji, then (Ti-j2)(g+l) < (ti -ji)((7+ 1) +ji -J2, contradicting 
the fact that u\ > ni. Hence, j'2 <Ti~ t\+ j\ and v+ e S'i+i C C i/j+i. It 
follows that V G Hjn and so v e {p G : P 2 = n-2}. This yields a contradiction 
as n is minimal in {p G Fl^ : p 2 = 712}, concluding the proof in this subcase. 
Subcase (b): Suppose that ji = t\. Set 

V := (0,772, • ■ • {Ti - J2)(g+ 1) + J2). 

Then v ^ n and v yf n since 0 < n-i, Ui < rii for 2 < i < m — 1, and ui < 

(fm-Jm + l)(9+l) implies T 1 -J 2 < t^-jm which means (Ti-j 2 )(g+l)+j 2 < 
(tm jm )(9+l) + jm as j 2 < jm ■ 

It is easy to see that v+ G Si as = Q + {I ~ l)(j2 — 1) and j'2 < 

< q — I for all 1 < r < L As before, it follows that v G Hm and v G {p G 

Hm ■ P 2 = n-2}. Since v n, this contradicts the minimality of n in the set 

{p G F[jn ■ P 2 = n.2}, concluding the proof in this subcase. 

Since both cases (1) and (2) yield a contradiction, it must be the case that no 
such n exists. Hence, r+ \ Sm = 0- This establishes that T+ C Sm, concluding 
the proof that T+ = Sm- 

To illustrate Theorem 10, we provide an example. 

Example 11. As in Example 5, consider the curve X defined by y® + 7/ = a;® over 
Fe4 = ^2(07) where w® + + w® + w + 1 = 0. 

Let Pi = Poo, P2 = Poo, T3 = ^01, Pi = Since Pi = (8,9) and F:^ is 

described in Example 5, to determine i?(Pi, P2, P3) it only remains to find F^ . 
By Theorem 10, F^ = 

' (1, 1,46), (1, 10, 37), (1, 19, 28), (1, 28, 19), (1, 37, 10), (1,46, 1), ' 

(2, 2, 38), (2, 11, 29), (2, 20, 20), (2, 29, 11), (2, 38, 2), 
(3,3,30),(3,12,21),(3,21,12),(3,30,3), 

(4,4,22), (4, 13, 13), (4,22,4), 

(5, 5, 14), (5, 14, 5), (6, 6, 6), 

(10, 1, 37), (10, 10, 28), (10, 19, 19), (10, 28, 10), (10, 37, 1), 

(11, 2, 29), (11, 11,20), (11,20, 11), (11,29, 2), 
(12,3,21),(12,12,12),(12,21,3), 

(13,4, 13), (13, 13,4), 

(14,5,5), 

(19, 1, 28), (19, 10, 19), (19, 19, 10), (19, 28, 1), 

(20, 2, 20), (20, 11, 11), (20, 20, 2), 

(21, 3, 12), (21, 12, 3), 

(22, 4, 4), 

(28!m9),(28,10,10),(28,19,1), 

(29,2, 11), (29, 11,2), 

(30,3,3), 

(37, 1,10), (37, 10,1), 

(38,2,2), 

1(46,1,1) 
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To find H{Pi,P 2 , P3, P4), we only need to apply Theorem 10 to see that P^ = 

(1, 1, 1, 37), (1, 1, 10, 28), (1, 1, 19, 19), (1, 1, 28, 10), (1, 1, 37, 1), (1, 10, 1, 28), 

(1. 10. 10. 19) , (1, 10, 19, 10), (1, 10, 28, 1), (1, 19, 1, 19), (1, 19, 10, 10), (1, 19, 19, 1), 
(1,28, 1,10), (1,28, 10,1), (1,37, 1,1), 

(2, 2, 2, 29), (2, 2, 11, 20), (2, 2, 20, 11), (2, 2, 29, 2), (2, 11, 2, 20), (2, 11, 11, 11), 

(2, 11, 20, 2), (2, 20, 2, 11), (2, 20, 11, 2), (2, 29, 2, 2), 

(3, 3, 3, 21), (3, 3, 12, 12), (3, 3, 21, 3), (3, 12, 3, 12), (3, 12, 12, 3), (3, 21, 3, 3), 

(4, 4, 4, 13), (4, 4, 13, 4), (4, 13, 4, 4), 

(5, 5, 5, 5), 

(10, 1, 1, 28), (10, 1, 10, 19), (10, 1, 19, 10), (10, 1, 28, 1), (10, 10, 1, 19), (10, 10, 10, 10), 

< (10, 10, 19, 1), (10, 19, 1, 10), (10, 19, 10, 1), (10, 28, 1, 1), 

( 11 , 2 , 2 , 20 ), ( 11 , 2 , 11 , 11 ), ( 11 , 2 , 20 , 2 ), ( 11 , 11 , 2 , 11 ), ( 11 , 11 , 11 , 2 ), ( 11 , 20 , 2 , 2 ), 

(12, 3, 3, 12), (12, 3, 12, 3), (12, 12, 3, 3), 

(13,4,4,4), 

(19. 1. 1. 19) , (19, 1, 10, 10), (19, 1, 19, 1), (19, 10, 1, 10), (19, 10, 10, 1), (19, 19, 1, 1), 

( 20 , 2 , 2 , 11 ), ( 20 , 2 , 11 , 2 ), ( 20 , 11 , 2 , 2 ), 

(21, 3, 3, 3), 

(28!tT 10), (28, 1,10,1), (28, 10, 1,1), 

(29,2,2,2), 

1(37,1,1,1) 



Similarly, one can use Theorem 10 to find P^ , P^ , P^ , P^ , and P^ . 
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Abstract. A Generalized Galois Ring (GGR) S' is a finite nonassocia- 
tive ring with identity of characteristic p", for a prime number p, such 
that its top-factor S = S/pS is a finite semifield. It is well known that 
if S is an associative Galois Ring (GR) then the set S* = S \ pS is a 
finite multiplicative abelian group. This group is cyclic if and only if S 
is either a finite held, or a residual integer ring of odd characteristic or 
the ring A GGR is called top-associative if S is a hnite held. In this 
paper we study the conditions for a top-associative not associative GGR 
S to be cyclic. 



1 Introduction 

1.1 Generalized Galois Rings and Finite Semifields 

Classical (associative) Galois Rings (GR) have been extensively studied in the 
literature [5,7, 15-18,20], and several applications of these rings to coding the- 
ory and cryptography have been considered [8-13, 18]. A GR is an associative 
and commutative ring with identity, and it is uniquely determined by its char- 
acteristic p" and its cardinality p’’”. Moreover, for any natural numbers r and 
n and for any prime number p there exists a unique, up to isomorphism, GR 
S of characteristic p” and cardinality p’’”. It is denoted by GR{p^^,p"‘) [15, 20]. 
In [2] the notion of Generalized Galois Ring ( GGR ) was introduced and defined 
as a finite not necessarily associative ring S with identity such that the set of 
all its zero divisors has the form pS for a natural number p. Many properties of 
associative Galois Rings, related to characteristic, cardinality and ideal lattice 
structure are preserved by the new definition. 

A finite nonassociative ring D is called a /imte semifield if the set D* = H\{0} 
is closed under the multiplication and it is a loop, i.e. 79 is a finite ring with 
identity such that for any pair of elements a,b G D, a 0, there exists a unique 
solution of the equation ax = b (resp. xa = b). The characteristic of a finite 
semifield 79 is a prime number p, its associative-commutative centre P = Z{D) 
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is a finite field of g = elements (c G IN), and D is a, P-algebra of dimension 
d, for a natural number d. If D is associative then it is a finite field {d = 1), 
whereas if it is not associative then d> 3 [1, 6]. 

Finite semifields appear in a natural way in the study of GGR: a finite nonas- 
sociative ring S with identity is a GGR if and only if there exist a natural number 
n and a prime number p such that the characteristic of S is p" and the top-factor 
S = S/pS is a finite semifield [2]. If S has p'^ elements then the set of nonzero 
divisors S* = S\pS of a GGR S' is a loop of cardinality {p'^ — In [2] 

we proved that for any finite semifield D of characteristic p and for any natural 
number n there exists a (not necessarily unique) GGR S of characteristic p” and 
top-factor S = S/pS isomorphic to D. We will denote the class of GGR of char- 
acteristic p" and with a given finite semifield D as quotient ring by GGR{D,p"‘). 
The case D = GF{p‘^) a finite field is especially interesting, and rings in the class 
GGR{GF{p‘^),p^) are called top-associative. 



1.2 Multiplicative Structure of Galois Rings 

One of the main tools in the study of a GR S is the Teichmuller coordinate 
set (TCS). It is a subset of S', closed under the multiplication and isomorphic 
to the multiplicative semigroup of the finite field S = S/pS under the natural 
epimorphism S ^ S. Any associative GR S = GR{q^,p^) {q = p*") contains a 
unique subset F{S) with this property: F{S) = {a & S \ a‘^ = a}; it induces a 
p-adic decomposition S = F{S) pF{S) ... -|-p”“^T(S) [15, 16, 18, 20]. Many 
properties of the GR can be obtained from the existence of the TGS and the 
mentioned p-adic decomposition, for instance, the full description of the lattice 
of Galois subrings or the structure of the group of automorphisms of S. 

Moreover, given a Galois Ring S = GR{q'^,p^) {q = p^), the multiplicative 
structure of the group of units S* = S\ pS can be obtained using the existence 
of the TGS. The group S* is abelian of cardinality {q — l)q^~^, and it can be 
decomposed as a direct sum of the multiplicative group F{S)* = F{S) \ {0} and 
the p-group e pS = {e ps \ s € S'}, where e denotes the identity of S. The 
first group is cyclic of cardinality q — 1 , whereas the second one decomposes as 
a direct sum of cyclic groups [20] : 

iCpn IX .^r. XCpr. 1 lip >2, 

I C 2 X Can 2 X Can 1 X (fr.^ xCan 1 if p = 2. 

Hence S* is cyclic if and only if S is a finite field (n = 1), or a residual integer 
ring of odd characteristic (p > 2, r = 1) or the ring Z 4 (p = n = 2, r = 1). 



1.3 Multiplicative Structure of Finite Semifields and Generalized 
Galois Rings 

The structure of the multiplicative loop of nonzero elements D* = D \ {0} of 
an arbitrary finite semifield D has not been described up to now. In [23], G.P. 
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Wene introduced the notion of right primitive semifield as a finite semifield D 
having an element w (a right primitive element) that generates D*, that is, D* 
consists of all right principal powers of w: D* = {w^'> \ i = — 2}, 

where if e is the identity of the semifield, the (right) principal powers of an 
arbitrary element a are defined by: = e , Vt € IN : * a.li D is 

a right primitive semifield of cardinality p'^ then the set {e, w, w'^\ . . . , is 

a basis of D over Zp. The notion of left primitive semifield can be defined in 
the obvious way. Wene proved that some important classes of finite semifields 
are right primitive, and conjectured that any finite semifield is right primitive, 
i.e. it possesses a right primitive element [23,24]. Recently, I.F. Riia [21] has 
proved that the answer to this conjecture is negative. There exists a semifield of 
32 elements that is neither right nor left primitive. Nevertheless, there are many 
semifields for which assertion of the conjecture remains true [21]. 

In [3] the existence of Teichmiiller Coordinate Sets in GGR S whose top- 
factor S' is a right (or left) primitive semifield was considered. It was proved that 
the existence of a TCS in a GGR guarantees its associativity. This fact suggests 
that the study of the multiplicative structure of an arbitrary nonassociative GGR 
will not follow the lines of the associative case. 

In this paper we study the cyclic condition of a GGR S, i.e. we look for 
conditions for the loop S* = S\pS to be generated by a single element a G S*. 
First we will consider right cyclic GGR, when there exists an element a such 
that the set of all its right principal powers is the set S* of nonzero elements of S. 
Then we will consider right-left cyclic top-associative GGR, when there exists an 
element a such that the set of all elements generated from a by multiplications 
on the right or on the left by a is the set S* of nonzero elements of S. In our 
study, properties of matrices over GR and finite fields will be extensively used, 
together with maximal order matrices over finite fields. So, most of the problems 
will be eventually reduced to the study of properties of matrices over finite fields. 
In particular, a result on conjugates of a matrix by powers of a maximal order 
matrix, that has its own interest, is included. 



2 Right Cyclic GGR 

In what follows ring will mean nonassociative ring [22] , and D will denote a finite 
semifield of characteristic p and cardinality p'^. Furthermore, S G GGR{D,p") 
will denote a GGR of characteristic p" and top-factor S isomorphic to D. The 
centre of a ring T is the subring: 

Z{T) = {a G T \ V6, c G T : {ab)c = a{bc) = b{ac) , ab = ba}. 

The subring R generated by the identity e of S' is contained in the centre of S 
and is a Galois Ring Gi?(p”,p”) = (notice that R = R/pR = Zp and 
that S is an i?- vector space of dimension d). It was proved in [2] that S is a 
free module of rank d over R, and a subset {x\, . . . , Xd\ C S is an i?-basis of S 
if and only if {xT, . . . , xf] C S is an R-basis of S. Let us fix an i?-basis of S, 
B = {xi, . . . ,Xd} C S. 
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In this section we shall introduce and study the concepts of right and left 
order of an element. 

Definition 1. Let a he an element of the loop S* = S\pS. Then the right order 
of a is the smallest natural number k such that = e, and it will be denoted 
by ordr{a). The left order of a, ordi{a), is defined in an analogous way. The 
GGR S is called right (resp. left) cyclic if there exists an element a G S* such 
that ordfia) = [S'*! (resp. ordfia) = 

Notice that the right and left order of an element are well defined because 
S* is a finite loop. If S is an associative GGR, i.e. a GR, the right order of an 
element a coincides with the left order, and it is the order of the multiplicative 
subgroup generated by a. Therefore S is right (left) cyclic if and only if the 
group S* is cyclic. In the nonassociative case the situation is rather different. 
The right order of an element a G S* can be smaller than the cardinality of 
the subloop generated by a, that contains elements obtained by finitely many 
multiplications of the element a with any possible arrangement of brackets. 

To study the right order of an element a G S'* we will consider the linear 
transformation Ra : S ^ S, given by Ra{x) = xa. This map is a bijection 
and induces a permutation of the set S* . The order of this permutation will be 
denoted by T{Ra). Glearly ordfia) divides T{Ra), since ordfia) is the length of 
the cycle containing a in the permutation induced by Ra. The linear transfor- 
mation Ra has a matrix A G GL{d, R) with respect to the basis B fixed above. 
Since T{Ra) = T{A) (the order of the matrix A), the study of the right order of 
a will use properties of matrices over the ring Zpn . The following properties of 
matrices over associative Galois Rings were proved by A. A. Nechaev in [19]. 

Theorem 1. If R = TZ^n, d is a natural number and A G GL{d,R), then 
T{A) < (/- l)p”-b 

A matrix A G GL{d,R) whose order satisfies T{A) = (p’^ — l)p”“^ is called 
maximal order matrix. 

For any A G MfiR), d x d-matrix over the ring R, we shall denote by a the 
matrix over R = R/pR = TZp given by Oy = Aij for any i,j G {!,..., d}. Given 

in the set R^‘^'> of all column vectors of length d over R, will denote its 
image in the ring ZZ^^\ Any matrix A G GL{d, R) induces a permutation (pj^ in 
{pa{x^) = Ax^). The next result characterizes maximal order matrices in 
GL{d, R). 

Theorem 2. Let R = TZpn and let d be a natural number (d > 2 in the case 
p = 2,n > 2). The matrix A G GL{d, R) is a maximal order matrix if and only 
if it has the form 

A = AfiE + pH{A^)), 

where A* G GL{d, R) is a matrix of order p‘^ — 1, E is the identity matrix and 
H{x) G R[x] is a polynomial of degree less than d satisfying 
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and, if p = 2 < n, satisfying 

e 7 ^ H{x), 

where e is the identity of R and H{x) denotes the image of H[x] in the ring 
Zp[x\. In such a case, the matrix a = & GL{d, Zp) is a maximal order 

matrix (T{a) = — 1) and for any vector G such that ai G is 

not the vector Oj^, the length of the cycle containing in the permutation pA is 

(/_ l)pn-i. 

Remark 1. If a G GL{d, Zp) is a maximal order matrix then its characteristic 
polynomial is an irreducible polynomial of degree d over Zp whose roots are 
primitive elements of the field GF{p‘^). 

Proposition 1. Let A G GL{d,R) (R = 2Zpn) he a matrix such that T{a) = 
p’^ — l. The matrix B G Md{R) commutes with A if and only if B is a polynomial 
in A. 

Now we can easily get the following corollaries concerning the right order of 
elements in a GGR. 

Corollary 1. //S' G GGR{D,p^), \D\ = p‘^ and a G S* is an arbitrary element, 
then ordr{a) < {p'^ — Furthermore, ordr{a) = {p'^ — if and only 

ifT{Ra) = {p’^ — In this case D is a right primitive semifield. 

An element a satisfying the equality ordr{a) = (p''* — is called maximal 
right order element. 

Corollary 2. Let S G GGR{D,p^) he a GGR. Then S is right cyclic if and 
only if S is a cyclic associative GGR or a right primitive semifield. 

A non right cyclic ring S G GGR{D,p^) may contain elements of maximal 
right order. According to Corollary 1 this is only possible if D is a right primitive 
semifield. The following result guarantees the existence of maximal right order 
elements in S when /? is a right primitive semifield of odd characteristic. 

Proposition 2. Let S G GGR{D,p^) he a GGR with D a right primitive semi- 
field of odd characteristic. Then S contains an element of maximal right order. 

Proof. Let w G D* be a right primitive element of the semifield D, i.e. ordr(w) = 
pd- — I where \D\ = p’^, and take a G S* such that a = w. If R = TZpr, is 
the subring of S generated by the identity then R = R/pR = TZp. Since C = 
{e, w, w'^\ . . . , is a ^p-basis of D we have that B = {e, a, a^\ . . . , 

is an //-basis of S. Let us denote by A G GL{d, R) the matrix of the linear 
transformation /?„ with respect to B. Then the matrix a G GL{d, ^p) is the 
coordinate matrix of the linear transformation R^, with respect to C and, since 
ordr{w) = — 1, we have that T{a) = p'^ — 1 and sop"^ — 1 | T{A) \ (p''* — l)p”“^. If 

T{A) = (p"^ — I)p”“^ then, by Corollary 1, the element a is an element of maximal 
right order (p^^ — l)p"“^. 

Otherwise, T{A) = (p'^ — l)p‘, where t < n — Since = a we have 
that A = AP {E + pG) for some matrix C, since A is invertible. So the matrix 
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pC commutes with A. By Proposition 1, pC = pQ{A) for some Q{x) € R[x\. 
Furthermore, T{A^ ) = p'^ — 1, and we will denote A^ by A*. Using the equality 
A = A*(U + pQ{A)) it is not difficult to prove that pQ{A) = pQ'(A^) for some 
polynomial Q'{x) G R[x], and so A = A*(U + pQ'(A*)). Since the characteristic 
polynomial of A* has degree d we can assume that the degree of Q' is smaller 
than d. 

Since T{A) yf {p‘^ — according to Theorem 2, we have that Q'{x) = 0. 

Now consider an element X G R such that A is not equal to 0. The matrix of the 
linear transformation R\ with respect to B is equal to XE and commutes with A. 
The matrix of the linear transformation Ra{e+p\) = Ra +pRa\ = Ra{E + pR\) 
with respect to B is 

A{E + pXE) = A4E + pQ\A^)){E + pXE) 

= A^{^E + p(Q^(A*) + XE) + p^AQ^(A*)). 

Then the polynomial Q"{x) = Q'{x) + X + pXQ' { x)g R[x\ satisfies Q"{x) yf 0. 
By Theorem 2, A{E + pXE) is a maximal order matrix and, by Corollary 1, 
a(e + pXe) is an element of maximal right order {p^^ — 

In view of this result we can conclude that many GGR S have a maximal 
right order element a, but the set of all right principal powers of a may not 
exhaust the loop S* . In the following section we will consider the case when 
S* coincides with the set of elements generated from a by multiplications on 
the right and on the left by a. We will restrict ourselves to the top-associative 
case, i.e. we will assume that the top-factor S' is a finite field (right-left cyclic 
top-associative GGR). 

3 Right-Left Cyclic Top- Associative GGR 

The study of the problem of the right-left cyclic condition of top-associative GGR 
can be divided in two different parts. Firstly we will prove that it suffices to solve 
the problem for GGR of small characteristic. Then we will find a solution of the 
problem in the case of small characteristic, translating the problem to another 
one of matrices over finite fields. In the process we will obtain an interesting 
result on the conjugates of a matrix by the powers of a maximal order matrix 
(always matrices over finite fields). 

3.1 Lifting Property of the Right-Left Cyclic Condition 

Definition 2. Let S G GGR{GE{p'^),p"‘) he a top-associative GGR with iden- 
tity e and let a G S* . Consider the group RLa generated by the maps Ra,La : 
S ^ S, given by Ra{x) = xa and La{x) = ax. Then the set RLa{e) = 
{G{e) I C G RLa} is a subset of S* containing a and the identity. We will 
say that S is right-left cyclic if there exists an element a G S* such that a is a 
primitive element of GE{p'^) and RLa{e) = S* . 
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Definition 3. Let S € GGR{D,p^) (n > 1) be a (not necessarily top-associa- 
tive) GGR. We define the critical factor of S by the following way: 

„ f S/p^S if p >2 or n = 2, 

= I S/&S ,/p = 2 < „ 

Notice that the critical factor of a GGR is also a GGR. The characteristic 
of Scrit is or 2^, depending on its definition. Our aim is to prove that a top- 
associative GGR of odd characteristic is right-left cyclic if and only if its critical 
factor is right-left cyclic, that is, the right-left cyclic condition can be lifted from 
the critical factor. 

In what follows we will use the following notation: if a and [3 are elements in 
a GGR S such that a = (}-\-p*"f for a 7 e S' and t € IN, then we will write a=(3. 

p* 

Lemma 1. Let S G GGR{GF{p‘^),p^) be a top-associative GGR with identity 
e and let a G S* such that d is a primitive element of GF{p‘^). Lf H G RLa 
satisfies the condition H{e)=e then H{j3)=l3 for any element j3 G S. 

p p 

Proof. Since S is a top-associative GGR the maps Ra,La : GF{p‘^) — > GF{p‘^), 
given by Ra{x) = ax and La{x) = xa, are the same. Hence, the map H : 
GF{p'^) GF{p^), given by Fl{x) = H{x), is equal to (Ra)^ for a natural 

number h. Then, since (Ra)^ = the condition H(e)=e implies = e, that 

p 

is, p’^ — 1 divides h, and so H = Ld. Therefore H{(3)=(3 for any element (3 G S. 

p 

Definition 4. Let S G GGR{D,p^) be a GGR (not necessarily top-associative). 
A subset F C S is called a coordinate set if |T| = \D\ and F = {d \ a G F) = D . 

Given a coordinate set T C S it is not difficult to prove that for any element 
(3 G S there exist unique elements /3 q, /3i, ■ • ■ , Pn-i G F such that [3 = /3q +p/3i + 
• • • -I- Furthermore, G S* if and only if fig 0 [3]. 

Lemma 2. Let S G GGR{GF{p‘^),p^) be a top-associative GGR with identity 
e and let a G S* be an element such that a is a primitive element of GF{p‘^). 
Then S* = RLa{e) if and only if for any r G {0 , . . . ,p‘^ — 2} and for any t < n 
there exists an element GL^ G RLa such that GLi{e) = e-|-p*a’'^. 

pt+i 

Proof. The condition is necessary, since the set of elements {e -I- | r G 

{0, . . . ,p^^ — 2},t < n} is contained in S*. So, let us assume that the condition 
of the theorem holds. Since a is a primitive element of GF{p’^) the set F = 
{0,e,a,a^\ . . . ,aP is a coordinate set of S. We shall prove, by induction 
on t, that for any elements fio, ■ ■ ■ , fin-i G F such that fio 0> there exists 
Bt G RLa such that Bt{e) = fi = /3q + p(3i + • • • + In the case t = 1, 

p* 

since /?o = aA for some r G {0, ... — 2}, the map B\ = {Rafi G RLa verifies 

Bi{e)=(3. Let us now suppose that there exists Bt G RLa such that Bt{e) = (3. 

p p* 
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Then there exists 7t S T such that Bt{e) = (3o + p(i\ + • • • + + P^lt- 

If 7t = (3t take Bt = Bt+\. Otherwise there exists s G {0, . . . — 2} such 

that a®) = (it — It- We consider the map B7^ , then _Br^(o;®))=a’’) for some 

p 

r G {0, . . . — 2} and, by hypothesis, there exists G RL^ such that 

C(,i{e) = e + p*a^\ Now the map Bt+i = BtCLi G RLa verifies Bt+i{e) = fi. 

Finally, if we consider i?„ G RL^ then B„(e) = (3 and so S* = RLa{e). 

Given S G GGR{D,p^) {n > 1) we shall denote by~ : S Scrit the canonical 
epimorphism from S onto its critical factor Sent- 

Proposition 3. Let S G GGR{GF{p‘^),p^) (n > 1) be a top-associative GGR 
of odd characteristic with identity e, and let a G S* be an element such that a is 
a primitive element ofGF{p‘^). Then S* = RLa{e) if and only if = RLa{e). 

Proof. It is clear that if S* = RLa{e) then = RLa{e). Now let us assume 

that = RLa{e). In view of the previous lemma it is enough to prove that 
for any rG{0,...,p'^ — 2} and for any t < n there exists an element C^+i G RLa 

such that G(_^_l{e) = e + p*a^f Let r G {0, ... — 2}, since = RLa{e) 

there exists CJ G RLa such that C2(e) = e + So there exists 7 G T = 

d 

{0, e, a, a^\ . . . ,a^ such that C2 (e) = e + pa^^ + P^7- According to Lemma 

1 the congruence C2 {P) = P + P78 holds for any element (3 G F (for suitable 

7^ G F). Let us prove by induction that for any natural number k > 2 the 
following equations are true: 

(C^)'=(e) = e + kpa’'') + kp^-f + Q^p^7a-) 

and 

(C'2n"(a’')) = a^) + A:p7aO- 

p 

Indeed: 

(C^)2(e) = C'^(e + pa’'^ + p^y) = e + 2pa’'^ + p^(2y + 7^^)) 

p^ 

and 

(C2^)2(a’-)) = C2^(a’') +P7„.)) = a^) + 2p7„.). 

p p 

So, if the congruences are true for k then: 

{G;)'^+\e) = C;{e + kpa^^ + kp^j + 

= e+{k + I)pa’'^ + {k+ I)p^7 + 
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and 

(C<r)fe+l(^r)) ^.(^0 ^ a^) + (fc + 

p p 

When k = p we have: (C 2 )^(e) = e -I- and {C 2 y{a^'>) = a^K Finally, we can 

p^ p^ 

prove by induction that for any t > 2 the equality (C'J)*’ (e) = e -I- p*a'"'> 

p*+i 

holds. The case t = 2 is true, as we have just proved. If the congruence holds 
for t then there exists P G F such that (C^)^* ^(e) = e-|-p*a’’) +p*~^^p. Notice 

p*+=' 

that (CJ)P‘ \a^'>) = a^\ so: 



(CD^\e) = mr 'Tie) =A{C^r r~Ae + Aa^>+p^+^P) 



4- r,*+F 



= ((C^2f ^r~Ae + 2Aa^'> + 2p‘+i/3) =, • . • = e + 



= e + p^'^^a''^ 

„t+2 



The result follows from Lemma 2 taking = {C^Y 

This result shows that if the critical factor of a top-associative GGR S is 
right-left cyclic, so is the ring S. Whether a similar property holds when the 
characteristic of S is even is an open problem. 

Next we shall study the problem of the right-left cyclic condition of top- 
associative GGR of characteristic p^. 



3.2 Right-Left Cyclic Condition of Top- Associative GGR of 
Gharacteristic 

In this section S G GGR{GF{pA,pA be a top-associative GGR of charac- 

teristic p^ and a G S* will be an element such that a is a primitive element of 
GF{pA, so the right order of the element a is equal to — 1 or (p'^ — l)p. 
If i? = Zp 2 is the subring of S generated by the identity e, then the set 
B = {e, a, . . . , is an i?-basis of S. We shall denote by A G GL{d,R) 

the matrix of the linear transformation Ra : S' — > S' with respect to B. Since 
T{A) = (p^* — 1) or T{A) = {p’^ — l)p, according to Theorem 2, there exists a 
polynomial H{x) G i?[x] of degree less than d such that A = A^{E +pH{AP}) 
where A* G GL{d, R) is a matrix of order p'^ — 1 (if T(A) = p’^ — l take F[{x) = 0). 
Notice that A* = A^ and pH{A) = pH{AA, since the characteristic of S is p^. 
So AP'^~^ = E — pH {A A = E — pH {A). On the other hand, since Ra = La, the 
matrix of the linear transformation La with respect to B is equal to A{E -I- pi?) 
for some B G Md{R), since A is invertible. For any element /? G S we shall denote 
by P^ G the coordinate vector of P in the basis B. We shall denote by Pi 
the image of /3^ in under the natural epimorphism tt : i? — > R/pR = TZip. 

Given a matrix G G Md{R) we will denote by c G MA^p) the image of G under 
7T. In particular, the image of the matrix H(A) will be denoted by h{a). The 
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next result presents a matrix characterization of right-left cyclic top-associative 
GGR. 



Proposition 4. The set RLa{e) is equal to S* if and only if the set of vectors 
W = {/i(a)ej^, {a*6a“‘ej^}tg]N} C is a Zp-generator system of K 

Proof. In terms of matrices with respect to the basis B, the elements in RLa are 
given by 

{A*°{E+pB)...A^’‘ ^{E + pB)A^’‘ |fc,tielNo} 

k-1 

= {A‘ + sp'^A^^BA‘-^^ I s G {0,l},fc,l,r, G INq} 

i=0 

since the characteristic of S is Let us assume that RLa{e) = S* then, in 
view of Lemma 2, for any r G {0, ... — 2} there exists C 2 G RLa such that 

C 2 (e) = e -I- pa^\ If the matrix associated to is A^ + A''^BA^~''^ 

{k,l,ri G INo), then the following equality holds: 



fc-i 



(e = A‘ + sp A’’ 



BA 



I — Vi 



z=0 



and, since T{a) = p’^ — 1, we have that I = {p^ — l)t, for some natural number 
t. Then A = A^'p = {E — pP[{A)y = E — ptEl{A) and pA^ = pE, so: 



(e + pa’’y^ = ( E — ptEl{A) 




BA~ 



Therefore 

^ — th{a^ ep 

I r G {0, . . . - 2}} = \ {0 J, 

the set of vectors IT is a ^p-generator system of TZ^p'’ . 

Reciprocally, let r G {0,...,^*^ — 2}, then there exists natural numbers 
s, so) ■ • ■ ) Spd _2 G {0, . . . ,p — 1} such that 



p '^-1 

= —sh{a)ei -I- Sta*ba~*ei 
t=o 



since IT is a ^p-generator system of Gonsider the following element of 

RLq,: 

T = {R-^L^yoR^{RYL^y^Rc . . . {RYLc.y-" . 
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Then the matrix of T with respect to B has the form: 

so Ce^ = (e +pa'^'>Y and T(e) = e -I- pa^\ 

According to this proposition it is necessary to study the ^p-vector subspace 
generated by the elements of the form that is, to study conjugates 

of a given matrix over a finite field by powers of a maximal order matrix. So we 
have reduced our original problem of right-left cyclic top-associative GGR to a 
problem of matrices over finite fields. In order to provide a solution we need to 
prove the following Lemma. 

Lemma 3. Let L = GF{p‘^) be the finite field of p‘^ elements, let a & L be a 
primitive element and let fi{x) € ^p[x] be the minimal polynomial over TZi^ of 
the element aP & L (where i € {1, . . . , d — 1}) . Then = L, and 

yf fj(x) ifi^j. 

Proof. We need to prove that the degree of fi{x) is d, so let us assume that the de- 
gree of fi{x) ist < d. Then, since t \ d, we have that t < | and the multiplicative 

order of the element divides p* — 1. But ord{aP'~^) = = p(d,i)^i 

and, since (d,i) \ d and i < d, we have that (d,i) < |. So ord{aP | p* — 1 
implies that p^ — 1 \ (pG.b _ — 1) < (p^ — l)(p5 — 1) = p'^ — 2ps -I- 1, a 

contradiction. Therefore the degree of fi{x) is d. 

Let us now assume that for some l<f<j<c?— 1 the equality fi{x) = 
fj{x) holds. Then there exists 1 < s < d — 1 such that i.e. 

(p* — l)p® = pi — 1 (mod p'^ — 1). Since i < {d — 2) and s < d — 1 we have that 
i + s < 2d— 3. We have two different possibilities: t-|-s<dort-|-s = d-|-fc with 
0<k<s<d — 1. 

If t -I- s < d then 0 < (p* — Ijp'* = p*+^* — p^ < p‘^—1. Since 0 < p^ — I < p‘^—1 
and (p* — Ijp'* = pi — I (mod p’^ — I), we have that (p* — I)p^ = pi — I, i.e. p 
divides I, a contradiction. 

Ifi-|-s = d-l-A: with 0<fc<s<d— I then (p* — I)p® = p*+® — p^ = 
pd+k = (^pd _ I'jpk _|_ (^pk —pY, i.e. (p* — I)p® =p^—p‘‘ (mod p*^ — I). Hence 
pi — 1 = (p* — I)p^ = p^— p® = p'^—p'^+p^ — 1 (mod p'^—l). Since I < p^ < p® < p*^ 
and 0 < pi — I < p*^ — I, we conclude that pi — 1 = p*^ — p® -I- p^ — 1. Therefore 
pi = p"^ — p"^ +p^ = p^(p‘^“* — p®“^ -I- 1) and p divides 1, a contradiction. 

Now we can prove the following theorem. 

Theorem 3. Let K = Zip and let d be a natural number greater than 2. Lf 
A G GL{d,K) and B G Md{K) are matrices such that T{A) = p'^ — 1, and e^ 
denotes the vector (1, 0, ... , 0)1, then the K-vector subspace of RA) generated by 
the vectors {A~*BA^el}tem hos dimension less than or equal to 1 if B commutes 
with A, and d otherwise. 






G = E+p \ -sH{A)+ ^ 



i=0 
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Proof. If B commutes with A it is clear that the dimension is, at most, equal to 
1. Let us suppose that B does not commute with A. Notice that it is enough to 
prove the result when A is a companion matrix of the form 



Sf = 



/o 0 ... 0 fo \ 

1 0 ... 0 /i 

0 1 ... 0 /2 



\o 0 . . . 1 /d_i ; 



where the roots of f{x) = x'^ — fd-\x‘^~^ _ . . . _ — /o G K[x\ are prim- 

itive elements of L = GF{p‘^). Indeed, if A is a maximal order matrix then 
{e^, Ae^, . . . , A‘^“^e^} is a AT-basis of and so there exists C € GL{d,K) 
such that G~^AG = Sf, for some f{x) G K[x]. It is not difficult to see that 
dimi^({A“‘BA*e^}tg]N) = d if and only if d = dimj^ ({S'^ 
since = A*e^ for some natural number k and so 



dim^^dA *BA‘edteiN) = dim/f ({A BA*~^’"e^}t(zT^) 

= dimK{{A-\GSj*G-^)B{CS}G-^)A'^e^}tejN) 

= dimK{{{A-'^G)Sj*{C-^BG)S}e^}t^T^) = dimK{{Sj*{G-^BG)S}e^}t^Tt^). 

Therefore, let us assume that A = Sf, take a G L such that /(a) = 0 and 
consider the following matrices in GL{d,L): 





/I a 


. 


a‘^ ^ \ 




/a 0 . 


■ \ 




1 aP 


a^P . 






0 aP . 


. 0 


p = 


VI aP" ^ 


a^p" " . 


1 

ft. 


,D = 


... o 
... o 


. aP" " J 



It is not difficult to check that PAP~^ = D. If we set PBP~^ = G and x^ = 
Pe^ = (I, . . . , 1)1 we have that A~^BA*e^ = P~^{D~*GD*)x^ for any natural 
number t. Then it is clear that 



dim/f({A *i?A‘el}tg]N) = dimj^dl? *GD*-x^}t(^^). 



We shall prove that this dimension is equal to d. 

Since B does not commute with A, then the matrix C does not commute 
with D and so it is not a diagonal matrix. Therefore there exists some Gkj yf 0 

{k yf j). We shall associate, to a polynomial A(x) = Atx* G K[x], the 

matrix M\ = XtD~*GD* . Since \{x) G K[x] we have: 



Mx 



( CnA(l) 
C'2iA(ai-P) 



Ci2A(aP-i) 

C22A(1) 



Ci3A(aP'-i) 

C'23A(«p'-p) 



... Ci,A(aP' ^-i)\ 

... 



\GdiX{a^-p" ")Gd2\{aP-p" ")Gd3\{aP"-p" ") ... GmX{1) ) 
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/ CiiA(l) C 12 AK-I) ... CidA(aP‘' '-i)\ 

C 21 AK" c22A(i)p ... c2dAK" 

VQiA(a^’-i/ 1 C^^X{aP^-Y ' C^dX^r" ' / 

Now we shall use the notation of the previous lemma. For any i G . ,d — 
1} consider the polynomial: 

d-l 

F,{x) = (a; - 1) fj{x) G K[x]. 
i=i 

By Lemma 3 , any element g{x) in the ideal (Fi(x)) verifies that = 0 if 

j G {0, . . . , d — 1} with j yf i, and the set {g{a^ “^) | g{x) G (Fj(a;))} is equal to 
L. Now consider a polynomial g.{x) G {Fi{x)) with i = j — k (mod d), then: 

/O... 0 C'i(i+i)Ai(aP'-i) 0 ... 0\ 

^ _ 0 ... 0 0 ■■■ 0 

\o . . . Cd^Kc^p"-Y " 0 

The fc-th row of the matrix has the form: 

{0,...,0,CkjKc^^'-Y \o, 

and 

{0,...,0,CkjgY-Y \0,...,0)x^ = Ck,Kc^P'~Y '• 

Therefore the set 

\0,...,0)a:^ \ fj,{x) € (F,{x))} 

is equal to L. But this is the set of all possible elements in the fc-th coordinate of 
the iG-linear combinations of {D~*CD*x^}t(=TN, so dimjy({D“*CD*a:^}ig]N) = d. 

As a corollary to this theorem we can give an answer to our problem of 
right-left cyclic top-associative GGR. 

Corollary 3. Let S G GGR{GF{p'^),p^) (n> 1) he a top-associative not asso- 
ciative GGR, char S' = 2^ or odd, and let a G S* be an element such that a is 
a primitive element of GF{p'^). Then S* = RLa{e) if and only if Ra yf La- 

Proof. If S* = RLa{e) then it is clear that Ra yf La, in view of Gorollary 
2. On the other hand, if Ra yf La then La = Ra{E + pip) such that ^ yf 0. 
If p commutes with Ra then, by Proposition l,it is a polynomial in Ra, so 
p{e) = a®) yf 0 for some s G IN and, therefore, a = La{e) = Ra{E +pp){e) = a + 



a contradiction. Therefore p does not commute with Ra- According to 
Propositions 3 and 4 and Theorem 3 , we conclude that S* = RLa{e). 



0 ... 0 y 

..., 0 ) 
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Corollary 4. Let S € GGR{GF{p'^),p^) (n> 1) be a top-associative not asso- 
ciative GGR, char 5 = 2^ or odd. Then S is right-left cyclic if and only if Scrit 
is not commutative. 

Proof. If S is right-left cyclic then, by Corollary 3, Scrit is not commutative. 
Reciprocally, let us assume that Scrit is not commutative. Using a refinement 
of the normal basis theorem (Theorem 2.40 [14]) there exists a ^p-basis of 
GF{p’^), {x\, . . . ,Xd\, consisting of primitive elements of GF{p'^). Taking ele- 
ments «!,..., Od G S*, such that ad = Xi (for i G {!,..., d}), the set B = 
Od} is a ^pn-basis of S. Moreover, since Scrit is not commutative, 
there exists i G {1, . . . , d} such that Ra^ Lon, we can apply the previous 
corollary to conclude that S is right-left cyclic. 

We have shown that a top-associative GGR S is right-left cyclic if and only 
if the critical factor ring of S is not commutative. Following similar techniques 
and, in particular, using Theorem 3, it is possible to characterize cyclic GGR 
whose top-factor is a right primitive finite semifield by the fact that its critical 
factor ring is not associative [4]. 
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Abstract. We improve an algorithm originally due to Chudnovsky and 
Chudnovsky for computing one selected term in a linear recurrent se- 
quence with polynomial coefficients. Using baby-steps / giant-steps tech- 
niques, the nth term in such a sequence can be computed in time pro- 
portional to ydr, instead of n for a naive approach. 

As an intermediate result, we give a fast algorithm for computing the 
values taken by an univariate polynomial P on an arithmetic progression, 
taking as input the values of P on a translate on this progression. 

We apply these results to the computation of the Cartier-Manin operator 
of a hyperelliptic curve. If the base field has characteristic p, this enables 
us to reduce the complexity of this computation by a factor of order y/p. 
We treat a practical example, where the base held is an extension of 
degree 3 of the prime held with p = 2®^ — 5 elements. 



1 Introduction 

In this paper, we investigate some complexity questions related to linear re- 
current sequences. Specifically, we concentrate on recurrences with polynomial 
coefficients; our main focus is on the complexity of computing one selected term 
in such a recurrence. 

A well-known particular case is that of recurrences with constant coefficients, 
where the nth term can be computed with a complexity that is logarithmic in n, 
using binary powering techniques. 

In the general case, there is a significant gap, as for the time being no algo- 
rithm with complexity polynomial in log(n) is known. Yet, in [10], Chudnovsky 
and Chudnovsky proposed an algorithm that allows to compute one selected 
term in such a sequence without computing all intermediate ones. This algo- 
rithm appears as a generalization of those of Pollard [23] and Strassen [30] for 
integer factorization; using baby-steps / giant-steps techniques, it requires a 
number of operations which is roughly linear in to compute the nth term in 
the sequence. 
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Our main contribution is an improvement of the algorithm of [10]; for sim- 
plicity, we only give the details in the case when all coefficients are polynomials 
of degree 1, as the study in the general case would follow in the same manner. 
The complexity of our algorithm is still (roughly) linear in Chudnovsky and 
Chudnovsky actually suggested that this bound might be essentially optimal. We 
improve the time and space complexities by factors that are logarithmic in n; in 
practice, this is far from negligible, since in the application detailed below, n has 
order 2^^. A precise comparison with Chudnovsky and Chudnovsky’s algorithm 
is made in Section 3. 

Along the way, we also consider a question of basic polynomial arithmetic: 
given the values taken by a univariate polynomial P on a set of points, how fast 
can we compute the values taken by P on a translate of this set of points? An ob- 
vious solution is to make use of fast interpolation and evaluation techniques, but 
we show that one can do better when the evaluation points form an arithmetic 
sequence. 



Computing the Cartier-Manin operator. Our initial motivation is an appli- 
cation to point-counting procedures in hyperelliptic curve cryptography, related 
to the computation of the Cartier-Manin operator of curves over finite fields. We 
now present these matters in more detail. 

The Cartier-Manin operator of a curve defined over a finite field, together 
with the Hasse-Witt matrix, are useful tools to study the arithmetic properties of 
the Jacobian of that curve. Indeed, the supersingularity, and more generally the 
p-rank, can be read from the invariants of the Hasse-Witt matrix. In the case of 
hyperelliptic curves, this matrix was used in [13, 21] as part of a point-counting 
procedure for cryptographic-oriented applications. 

Indeed, thanks to a result of Manin, computing the Cartier-Manin operator 
gives the coefficients of the Zeta function modulo p; this partial information 
can then be completed by some other algorithms. However, in [13] and [21], 
the method used to compute the Hasse-Witt matrix has a complexity which is 
essentially linear in p. 

It turns out that one can do better. The entries of the Hasse-Witt matrix of 
a hyperelliptic curve = f{x) defined over a finite field of characteristic p are 
coefficients of the polynomial h = so they satisfy a linear recurrence 

with rational function coefficients. Using our results on linear recurrences, this 
remark yields an algorithm to compute the Hasse-Witt matrix whose complexity 
now grows like up to logarithmic factors, instead of p. 

We demonstrate the interest of these techniques by a point-counting example, 
for a curve of genus 2 defined over a finite field whose characteristic just fits in one 
32-bit machine word; this kind of fields have an interest for efficiency reasons [3]. 

Note finally that other point-counting algorithms, such as the p-adic methods 
used in Kedlaya’s algorithm [18], also provide efficient point-counting procedures 
in small characteristic, but their complexity remains at least linear in p [12]. On 
the other hand, Kedlaya’s algorithm outputs the whole Zeta function and should 
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be preferred if available. Therefore, the range of application of our algorithm is 
when the characteristic is too large for Kedlaya’s algorithm to be run. 



Organization of the paper. We start in Section 2 with our algorithm for 
shifting a polynomial given by its values on some evaluation points. This building 
block is used in Section 3 to describe our improvement on Chudnovsky and 
Chudnovsky’s algorithm. In Section 4 we apply these results to the computation 
of the Cartier-Manin operator of a hyperelliptic curve. We conclude in Section 5 
with a numerical example. 



Notation. In what follows, we give complexity estimates in terms of number 
of base ring operations (additions, subtractions, multiplications and inversions 
of unit elements) and of storage requirements; this last quantity is measured 
in terms of number of elements in the ring. We pay particular attention to 
polynomial and matrix multiplications and use the following notation. 

— Let i? be a commutative ring; we suppose that R is unitary, its unit element 

being denoted by 1/j, or simply 1. Let Lp be the map N ^ i? sending n to 
n • + • — h Ifl (n times); the map Lp extends to a map Z ^ R. When 

the context is clear, we simply denote the ring element (p(n) by n. 

— We denote by M : N — > N a function that represents the complexity of 
univariate polynomial multiplication, i.e. such that over any ring R, the 
product of two degree d polynomials can be computed within M((i) base 
ring operations. Using the algorithms of [25,24,8], M((i) can be taken in 
0(dlog(d) log(log((i))). 

We suppose that the function M verifies the inequality M(di) + M(d2) < 
M((ii + ^2) for all positive integers d\ and ^2; in particular, the inequality 
M(d) < 5 M(2(i) holds for all d > 1. On the other hand, we make the 
(natural) hypothesis that M(cd) € 0(M(d)) for all c > 1. 

We also assume that the product of two degree d polynomials can be com- 
puted in space 0(d); this is the case for all classical algorithms, such as naive, 
Karatsuba and Schdnhage-Strassen multiplications. 

— We let w be a real number such that for every commutative ring R, all nx n 
matrices over R can be multiplied within 0{n^) operations in R. The clas- 
sical multiplication algorithm gives w = 3. Using Strassen’s algorithm [29], 
we can take w = log2(7) ~ 2.81. We assume that the product of two nx n 
matrices can be computed in space 0{n^), which is the case for classical as 
well as Strassen’s multiplications. 

In the sequel, we need the following classical result on polynomial arithmetic 
over R. The earliest references we are aware of are [22,4], see [31] for a detailed 
account. We also refer to [6] for a solution that is in the same complexity class, 
but where the constant hidden in the 0( ) notation is actually smaller than that 
in [31]. 
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Multipoint evaluation. If P is a polynomial of degree d in R\X] and rg, . . . ,rd 
are points in R, then the values P{ro), . . . ,P{rd) can be computed using 
0(M((i) log(d)) operations in R and 0(dlog(d)) space. 

2 Shifting Evaluation Values 

In this section, we address a particular case of the question of shifting evaluation 
values of a polynomial. The question reads as follows: Let P be a polynomial of 
degree d in P[X], where P is a commutative unitary ring. Let a and rg, . . . , be 
in R. Given P(ro), . . . ,P{rd), how fast can we compute P(ro + a), . . . ,P{rd + a)l 
A reasonable condition for this question to make sense is that all differences 
Vi — Vj, t yf j, are units in R; otherwise, uniqueness of the answer might be lost. 
Under this assumption, using fast interpolation and fast multipoint evaluation, 
the problem can be answered within 0(M((i) log((i)) operations in R. We now 
show that the cost reduces to M(2d)+0(d) operations in R, in the particular case 
when vq, ... ,Vd are in arithmetic progression, so we gain a logarithmic factor. 

Our solution reduces to the multiplication of two suitable polynomials of 
degree at most 2d; 0{d) additional operations come from additional pre- and 
post-processing operations. As mentioned in Section 1, all operations made below 
on integer values actually take place in R. 

The algorithm underlying Proposition 1 is given in Figure 1; we use the 
notation coeff (Q, k) to denote the coefficient of degree /c of a polynomial Q. We 
stress the fact that the polynomial P is not part of the input of our algorithm. 



Input P(0), . . . , P(d) and a in P 
Output P{a), . . . , P{a + d) 



— Compute 



5(0,d) = n(-i)> <5(i,d) = — - l,d) i = l,...,d 



j=i 



3=0 



A(a,0,d) = j), A(a, k,d) = fc ~ 1, d) A: = l,...,d 



— Let 



p ^ -P(0 Y* S = 'V 



1 



Ab Q = PS. 



— Return the sequence A{a, 0, d)-coeff (Q, d), . . . , A{a, d, d)-coeff (Q, 2d). 



Fig. 1. Shifting evaluation values 
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Proposition 1 Let R be a commutative ring with unity, and (i € N such that 
1, . . . ,d are units in R. Let P he in i?[X] of degree d, such that the sequence 

P(0),...,P(d) 

is known. Let a be in R, such that a — d, . . . ,a + d are units in R. Then the 
sequence 

P{a), . . . , P{a + d) 

can he computed within M(2(i) + 0{d) base ring operations, using space 0{d). 

Proof. Our assumption on R enables to write the Lagrange interpolation for- 
mula: 

i=0 d) 

From now on, we denote by S{i,d) the denominator Y[j=o ~ d) &nd by Pi 
the ratio P{i)/S{i,d). 

First note that all S{i, d),i = 0,. . . ,d, can be computed in 0{d) operations 
in R. Indeed, computing the first value S{0,d) = 0^=1 (~j) takes d multiplica- 
tions. Then for i = 1, . . . ,d, 5{i, d) can be deduced from 5{i — 1, d) for two ring 
operations using the formula 

5{i, d) = - — ^ - 1, d), 
z — a — 1 

so their inductive computation requires 0{d) multiplications as well. Thus the 
sequence Pi,i = 0, . . . ,d, can be computed in admissible time and space 0{d) 
from the input sequence P{i). Accordingly, we rewrite the above formula as 

d d 

p=j2r n (^-d)- 

i=0 j=Q,j^i 

For fc in 0, . . . , d, let us evaluate P at a -I- fc: 

d d 

P{a + k) = '^Pi (a + k-j). 

i=0 j=0,j^i 

Using our assumption on a, we can complete each product by the missing factor 
a -I- fc — z: 



P(a + k) = y^Pi 



i=0 



rii=o(a+fe-i) 

a -I- fc — z 



j) 

\3=o , 



'\i=0 



1 

a -I- fc — z 



( 1 ) 

Just as we introduced the sequence 8{i, d) above, we now introduce the sequence 
A{a,k,d) defined by A{a,k,d) = rij=o(a + k — j). In a parallel manner, we 
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deduce that all A{a, k,d),k = 0, . . . ,d can be computed in time and space 0{d), 
using the formulas: 



A{a, 0, d) = J]^(a - j), A{a, k, d) = ^ A{a, k-l,d). 

j=o 

Let us denote Qk = P{a + k)/A{a,k,d). We now show that knowing Pi,i = 
0, . . . ,d, we can compute Qk, k = 0, . . . ,d in M(2d) base ring operations and 
space 0{d)] this is enough to conclude, by the above reasoning. 

Using the coefficients A{a,k,d), Equation (1) reads 

Qk = Y.P^a + k-i- 

i=0 



Let P and S be the polynomials: 

d 



2d 



p = T.p^x\ s = Y^ 



i=0 



i=0 



1 

a + i — d 






then by Equation (2), for fc = 0, . . . , d, Qk is the coefficient of degree fc + d in 
the product PS. This concludes the proof. □ 



We will conclude this section by an immediate corollary of this proposition; 
we first give a few comments. 

— An alternative 0(M(d)) algorithm which does not require any inversibility 
hypotheses can be designed in the special case when a = d + 1. The key fact 
is that for any degree d polynomial P, the sequence P(0), P(l), ... is linearly 
recurrent, of characteristic polynomial Q{X) = (1 — Thus, if the first 
terms P{0), ■ ■ ■ , P{d) are known, the next d+1 terms P(d+1), . . . , P(2d+ 1) 
can be recovered in 0(M(d)) using the algorithm in [27, Theorem 3.1]. 

— The general case when the evaluation points form an arbitrary arithmetic 
progression reduces to the case treated in the above proposition. Indeed, 
suppose that tq, ... ,rd form an arithmetic progression of difference 6, that 
P(ro), • ■ • , P{rd) are known and that we want to compute the values P(ro + 
a), . . . , P{rd + a), where a € R is divisible by S. Introducing the polynomial 
Q{X) = P{SX + To), we are under the hypotheses of the above proposition, 
and it suffices to determine the shifted evaluation values of Q by a/ 6. 

— The reader may note the similarity of our problem with the question of 
computing the Taylor expansion of a given polynomial P at a given point 
in R. The algorithm of [2] solves this question with a complexity of M(d) + 
0(d) operations in R and space 0(d). The complexity results are thus quite 
similar; it turns out that analogous generating series techniques are used in 
that algorithm. 
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— In [15], an operation called middle product is defined: Given a ring R, and 
A, B in i?[AT] of respective degrees d and 2d, write AB = Cq + + 

with all Ci of degree at most d; then the middle product of A 
and B is the polynomial Ci. This is precisely what is needed in the above 
algorithm. 

Up to considering the reciprocal polynomial of A, the middle product by A 
can be seen as the transpose of the map of multiplication by A. General 
program transformation techniques [7, 15] then show that it can be computed 
in time M(d) + 0{d), but with a possible loss in space complexity. In [6], it 
is shown how to keep the same space complexity, at the cost of a constant 
increase in time complexity. Managing both requirements remains an open 
question, already stated in [17, Problem 6]. 

Corollary 1 Let R be a commutative ring with unity, and d G N such that 
1, . . . , 2d + 1 are units in R. Let P he a degree d polynomial in R[X] such that 
the sequence 

P(0),...,P(d) 

is known. For any s in N, the sequence 

p{o),p{r),...,p{rd) 

can be computed in time s M(2d) + 0{sd) G 0{s M(d)) and space 0{d). 

Proof. For any s G N, let us denote by Ps{X) the polynomial P{2‘^X). We 
prove by induction that all values Pg(0), . . . , Ps(d) can be computed in time 
s M(2d) + 0{sd) and space 0(d), which is enough to conclude. The case s = 0 is 
obvious, as there is nothing to compute. Suppose then that Pg(0), . . . , Ps{d) can 
be computed in time s M(2d)+0(sd) and using 0{d) temporary space allocation. 

Under our assumption on R, Proposition 1 shows that the values P.s{d + 
1), . . . ,Ps{2d + 1) can be computed in time M(2d) + 0(d), using again 0{d) 
temporary space allocation. The values Ps(0), Ps(2), . . . , Pg(2d) coincide with 
Ps+i(0), Ps+i(l), . . . ,Ps+i(d), so the corollary is proved. □ 

3 Computing one Selected Term of a Linear Sequence 

In this section, we recall and improve the complexity of an algorithm due to 
Ghudnovsky and Ghudnovsky [10] for computing selected terms of linear recur- 
rent sequences with polynomial coefficients. The results of the previous section 
are used as a basic subroutine for these questions. 

As in the previous section, P is a commutative ring with unity. Let A be a 
n X n matrix of polynomials in R[X], For simplicity, in what follows, we only 
treat the case of degree 1 polynomials, since this is what is needed in the sequel. 
Nevertheless, all results extend mutatis mutandis to arbitrary degree. 

For r in R, we denote by A(r) the matrix over R obtained by specializing all 
coefficients of A at r. In particular, for k in N, A{k ■ 1/j) is simply denoted by 
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A{k), following the convention used up to now. Given a vector of initial conditions 
= [tti 7 • • ■ , G i?" and given k in N, we consider the question of computing 
the kth term of the linear sequence defined by the relation Ui = A{i)Ui-i for 
t > 0, that is, the product 

Uk = A{k)A{k - 1) ■ ■ ■ A{l)Uo. 



For simplicity, we write 

Uk= ^0’ 

performing all successive matrix products, i = 1, . . . ,k, on the left side. We use 
this convention hereafter. 

In the particular case when A is a matrix of constant polynomials, and taking 
only the dependence on k into account, the binary powering method gives a time 
complexity of order 0(log(fc)) base ring operations. 

In the general case, the naive solution consists in evaluating all matrices 
A{i) and performing all products. With respect to k only, the complexity of this 
approach is of order 0{k) base ring operations. In [10], Chudnovsky and Chud- 
novsky propose an algorithm that reduces this cost to essentially 0(-\/fc). We 
first recall the main lines of this algorithm; we then present some improvements 
in both time and space complexities. 



The algorithm of Chudnovsky and Chudnovsky. The original algorithm 
uses baby-step / giant-step techniques, so for simplicity we assume that /c is a 
square in N. Let C be the n x n matrix over i?[X] defined by 



Vk 

C = l[A{X + z), 

i=l 



where A(X + i) denotes the matrix A with all polynomials evaluated X + i. 
By assumption on A, the entries of C have degree at most Vk. For r in R, we 
denote by C(r) the matrix C with all entries evaluated at r. Then the requested 
output Uk can be obtained by the equation 



Uk 



^ Uk-\ 

n I c/o. 






(3) 



Here are the main steps of the algorithm underlying Equation (3), originally 
due to [10]. 

Baby steps. The “baby steps” part of the algorithm consists in computing the 
polynomial matrix C. In [10], this is done within 0(n“M(v^)) base ring 
operations, as products of polynomial matrices with entries of degree 0{\/k) 
are required. 
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Giant steps. In the second part the matrix C is evaluated on the arithmetic 
progression 0, y/k, 2-\/fc, . . . , {^/k — l)Vk and the value of Uk is obtained us- 
ing Equation (3). Using fast evaluation techniques, all evaluations are done 
within 0(n^ M('\/fc) log(fc)) base ring operations, while performing the \/~k 
successive matrix-vector products in Equation (3) adds a negligible cost of 
0{n'^\/k) operations in R. 

Summing all the above costs gives an overall complexity bound of 
0(n“M(-\/fc) -I- log(fc)) 

base ring operations for computing a selected term of a linear sequence. Due 
to the use of fast evaluation algorithms in degree Vk, the space complexity is 
0{n^Vk + Vklog{k)). 

In the particular case when A is the 1x1 matrix [Jf], the question reduces to 
the computation of 0^=1 J this specific problem, note that the 

ideas presented above were already used in [23, 30], for the purpose of factoring 
integers. 



Avoiding multiplications of polynomial matrices. In what follows, we 
show how to avoid the multiplication of polynomial matrices, and reduce the 
cost of the above algorithm to 0{n‘^Vk + n‘^ M(-\/fc) log(fc)) base ring operations, 
storing only 0{n‘^'/k) elements of R. 

Our improvements are obtained through a modification of the baby steps 
phase; the underlying idea is to work with the values taken by the polynomial 
matrices instead of their representation on the monomial basis. This idea is 
encapsulated in the following proposition. 

Proposition 2 Let A be a nxn matrix with entries in R[X], of degree at most 1. 
Let N > 1 be an integer and let C be the nxn matrix over i?[A] defined by 

N 

C = Y[A{X + i). 

i=l 

Then one can compute all scalar matrices C(0), 0(1), . . . , C{N) within 0{n^N) 
operations in R and with a memory requirement ofO{n^N) elements in R. 

Proof. We first compute the scalar matrices [A{1),A(2 ), . . . , A(2N)] . Since all 
entries of A are linear in X, the complexity of this preliminary step is 0{n^N), 
both in time and space. 

Then, we construct the matrices (C'')o<j<Ar and (C'")o<j<iv, which are de- 
fined as follows: we let Cq and C'f equal the identity matrix /„ and we recursively 
define 



C'= A{N + j)C'_, forl<j<A, 
C" = - j -k 1) for l<j<N. 
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Explicitly, for 0 < j < N, we have 



C' = A{N + j) • • • A{N + 1) 



and 

thus 

C'^-j = A{N) ■ ■ ■ A{j + 1). 

Computing all the scalar matrices (C') and (C") requires 2N matrix multiplica- 
tions with entries in R; their cost is bounded by 0{nAN) in time and by 0{ri?N) 
in space. Lastly, the formula 

C{j) = A{N + j) • • • A{N + I)A(IV) • • • A{j + 1) = 0 < j < TV 

enables to recover C'(0),C'(1), . . . ,C{N) in time 0{vRN) and space 0{'n?N). □ 

From this proposition, we deduce the following corollary, which shows how 
to compute the scalar matrices used in the giant steps. 

Corollary 2 Let A and C he polynomial matrices as in Proposition 2. If the 
elements 1, . . . , 2N + 1 are units in R, then for any integer s > 1, the sequence 

C(0),C(2«),...,C(2^(iV-l)) 

can he computed using 0{n^N+n^s M(A^)) operations in R and 0{n^N) memory 
space. 

Proof. This is an immediate consequence of Proposition 2 and Corollary 1. □ 

The above corollary enables us to perform the “giant steps” phase of Chud- 
novsky and Chudnovsky’s algorithm in the special case when N = 2^; this yields 
the d'^th term in the recurrent sequence. Using this intermediate result, the fol- 
lowing theorem shows how to compute the kth term, for arbitrary k, using the 
d-adic expansion of k. 

Theorem 1 Let A he a n x n matrix with linear entries in R[X] and let Uq he 
in i?". Suppose that {Ui) is the sequence of elements in i?" defined hy the linear 
recurrence 

Uj+i = A{i + l)Ui, for all i > 0. 

Let k > 0 he an integer and suppose that 1, . . . ,2\Vk~\ + 1 are units in R. Then 
the vector Uk can he computed within 0{n‘^'Jk + V? M log(fc)) operations 
in R and using memory space 0{n^Vk). 

The proof of Theorem 1 is divided in two steps. We begin by proving the 
proposition in the particular case when A: is a power of d, then we treat the 
general case. 
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The case fc is a power of 4. Let us suppose that TV = 2® and k = iV^, 
so that /c = 4®. With this choice of k, Corollary 2 shows that the values 
C(0), C(TV), . . . , C{{N — l)N) can be computed within the required time and 
space complexities. Then we go on to the giant step phase described at the be- 
ginning of the section, and summarized in Equation (3). It consists in performing 
y/k successive matrix-vector products, which has a cost in both time and space 
of 0{n'^Vk). 

The general case. We now consider the general case. Let k = 
the 4-adic expansion of k, with ki G {0, 1,2,3} for all i. Given any t, we will 
denote by the integer Using this notation, we define a sequence 

(ht)o<i<s as follows: we let Vq = Uq and, for 0 < t < s we set 

^t+i = A{\k'Y + 4*fct) • • ■ A{\k'Y' + 1)4}. (4) 

It is easy to verify that Vg+i = U^. Therefore, it suffices to compute the se- 
quence (Vt) within the desired complexities. 

Supposing that the term 4} has been determined, we estimate the cost of 
computing the next term Vt+\. If k± is zero, we have nothing to do. Otherwise, 
we let = 4}, and, for 1 < j < kt, we let A^A(^x) = A{X + \kY + 4*(j — 1)). 
Then we define V^_^\ by 

Vll\ = A(^-)(4‘) • • • j = l,...,kf 

By Equation (4), we have = 4}+i. Thus, passing from 4} to 4}+i amounts 
to computing kt selected terms of a linear recurrence of the special form treated 
in the previous paragraph. Using the complexity result therein and the fact that 
all kt are bounded by 3, the total cost of the general case is thus 

O (n“2‘ -k M(2‘)) j = O ^n“2® -k M(2*) 

Using the fact that 2® < '/k < 2®+^ and the assumptions on the func- 
tion M, we easily deduce that the whole complexity fits into the bound 0(n“-\/fc+ 
M(v^) log(/c)), as claimed. Similar considerations also yield the bound con- 
cerning the memory requirements. This concludes the proof of Theorem 1. 

Comments. The question of a lower time bound for computing Uk is still 
open. The simpler question of reducing the cost to 0{vA Vk + V? M(-\/fc)) base 
ring operations, that is gaining a logarithmic factor, already raises challenging 
problems. 

As the above paragraphs reveal, this improvement could be obtained by an- 
swering the following question: Let P be a polynomial of degree d in P[X]. 
Given r in R, how fast can we compute P(0), P(r), . . . , P{rd) from the data of 
P(0), P(l), . . . , P(d)? A complexity of order 0(M(d)) would immediately give 
the improved bound mentioned above. We leave it as an open question. 
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4 The Cartier-Manin Operator on Hyperelliptic Cnrves 

We finally show how to apply the above results to the computation of the Cartier- 
Manin operator, and start by reviewing some known facts on this operator. 

Let C be a hyperelliptic curve of genus g defined over the finite field 
with p‘^ elements, where p is the characteristic of F^d. We suppose that p > 2 
and that the equation of C is of the form = f{x), where / G F^d [Jf] is a monic 

squarefree polynomial of degree 2g+l. The generalization to hyperelliptic curves 
of the Hasse invariant for elliptic curves is the so-called Hasse-Witt matrix, which 
is defined as follows: 

Definition 1 Let hk be the coefficient of degree k in the polynomial 
The Hasse-Witt matrix is the g x g matrix with coefficients in F^d given by 

H = {hip-j)l<ij<g. 

This matrix was introduced in [16]; in a suitable basis, it represents the op- 
erator on differential forms that was introduced by Cartier in [9]. Manin then 
showed in [20] that this matrix is strongly related to the action of the Frobe- 
nius endomorphism on the p-torsion part of the Jacobian of C. The article [33] 
provides a complete survey about those facts; they can be summarized by the 
following theorem: 

Theorem 2 (Manin) LetC be a hyperelliptic curve of genus g defined over¥pd. 
Let H be the Hasse-Witt matrix of C and let H^^ = HH^^^ ■ ■ ■ H^p \ where 
the notation H^‘^'> means element-wise raising to the power q. Let ffif) be the 
characteristic polynomial of the matrix H^^ and let x(t) be the characteristic 
polynomial of the Frobenius endomorphism of the Jacobian ofC. Then 

x(t) = (— mod p. 

This result provides a quick method to compute the characteristic polyno- 
mial of the Frobenius endomorphism and hence the group order of the Jacobian 
of C modulo p, when p is not too large. Combined with a Schoof-like algorithm 
and / or a baby-step / giant-step algorithm, it can lead to a full point-counting 
algorithm, in particular for genus 2 curves, as was demonstrated in [13,21]. 

The obvious solution consists in expanding the product Using bal- 

anced multiplications, and taking all products modulo X^p this can be done in 
0(M(gp)) base field operations, whence a time complexity within 0(M(p)), if g 
is kept constant. In what follows, regarding the dependence in p only, we show 
how to obtain a complexity of 0{M{ffip) log(p)) base field operations, using the 
results of the previous sections. 

We will make the assumption that the constant term of / is not zero. Note 
that if it is zero, the problem is actually simpler: writing / = X f\, the coefficient 
of degree ip—j in f(p~'^y^ is the coefficient of degree ip— j—{p— 1) /2 in f^ ^ 
Hence we can work with a polynomial of degree 2g instead of 2^ -I- 1 and the 
required degrees are slightly less. 
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Furthermore, for technical reasons, we assume that g < p. This is not a true 
restriction since for g > p, all the coefficients of up to degree g{p — 1) 

are needed to fill in the matrix H . 



Introduction of a linear recurrent sequence. In [11], Flajolet and Salvy 
already treat the question of computing a selected coefficient in a high power of 
some given polynomial, as an answer to a SIGSAM challenge. The key point 
of their approach is that h = satisfies the following first-order linear 

differential equation 

fh' - ^fh = 0. 

From this, we deduce that the coefficients of h satisfy a linear recurrence of 
order 2g + 1, with coefficients that are rational functions of degree 1. 

Explicitly, let us denote by hk the coefficient of degree k of the polynomial h, 
and for convenience, set hk = 0 for k < 0. Similarly, the coefficient of degree k 
of / is denoted by fk- From the above differential equation, for all k in Z, we 
deduce that 

hk+i-i = 0. 

A{k) be the (2g -I- 1) x (2g + 1) 

0 ••• 0 

1 ••• 0 



O’-. 1 

/i((p-l)/2-fc-H) 

L fok fok J 

The initial vector Uq = [0, . . . , 0, /q^ computed using binary pow- 

ering techniques in 0(log(p)) base field operations; then for fc > 0, we have 
Uk+i = A{k + l)Uk- Thus, to answer our specific question, it suffices to note 
that the vector Uip-j gives the coefficients hip-j for j = l,...,g that form the 
tth row of the Hasse-Witt matrix of C. 

Yet, Theorem 1 cannot be directly applied to this sequence, because A{k) 
has entries that are rational functions, not polynomials. Though the algorithm 
could be adapted to handle the case of rational functions, we rather use the very 
specific form of the matrix A{k), so only a small modification is necessary. Let 
us define a new sequence Vk by the relation 

Vk = f^MUk. 

Then, this sequence is linearly generated and we have Vk+i = B{k + l)Vk, where 

B{k) = fokA{k). 



2g+l 



i=0 



E fc+i- 



{p + 1 )* 



f^ 



We set Uk = [hk- 2 g, hk- 2 g+i, ■ • ■ , hk]\ and let 
companion matrix: 



A{k) = 



0 0 
/2„+i((2g-ei)(p-l)/2-(fc-2g-l)) 
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Therefore, the entries of the matrix B{k) are polynomials of degree at most 1. 
Note also that the denominators /g fc! satisfy the recurrence relation 

f^+\k + iy. = {fo{k + i))-{f^k\). 

Thus, we will compute separately, first V^-i, V 2 p-i, ■ • ■ Vgp-i and then the de- 
nominators fo~^(p - 1)!, . . . , fo^~^(gp - !)!• 

To this effect, we proceed iteratively. Let us for instance detail the com- 
putation of the sequence V^-i, V 2 p-i, • . . Vgp-i. Knowing Vg, we compute V^_i 
using Theorem 1. Then we shift all entries of B by p, so another application of 
Theorem 1 yields V 2 p-i- Iterating g times, we obtain Vp-i, V 2 p-i> ■ • ■ Vgp-i as re- 
quested; the same techniques are used to compute /g~^(p— 1)!, . . . , !)!• 

Then the vectors Up-i, C/ 2 p-i> ■ • ■ are deduced from 

Bk ph 1 \ * 

fok\ 



Lifting to characteristic zero. A difficulty arises from the fact that the char- 
acteristic is too small compared to the degrees we are aiming to, so p\ is zero 
in Fpd. The workaround is to do computations in the unramified extension K 
of Qp of degree d, whose residue class field is F^d. The ring of integers of K 
will be denoted by Ox; any element of Ox can be reduced modulo p to give 
an element of F^d. On the other hand, K has characteristic 0, so p is invertible 
in K. 

We consider an arbitrary lift of / to Ox[X]. The reformulation in terms of 
linear recurrent sequence made in the above paragraph can be performed over K; 
the coefficients of are computed as elements of K and then projected 

back onto Fpd. This is possible, as they all belong to Ox- 

Using the iteration described above, we separately compute the values in K 
of the vectors Up-i and the denominators f^~^{ip—l)\, for i = 1, . . . , To this 
effect, we apply g times the result given in Theorem 1; this requires to perform 

0(5“+'VP + ff'M(v^)log(p)), 
operations in K and to store 0{g‘^^) elements of K. 



Computing at fixed precision. Of course, we do not want to compute in 
the field K at arbitrary precision: for our purposes, it suffices to truncate all 
computations modulo a suitable power of p. To evaluate the required precision 
of the computation, we need to check when the algorithm operates a division 
by p. 

To compute the vectors Vip-i and the denominators {ip — 1)!, for i = 
1, ... ,g, we use Theorem 1. This requires that all integers up to ^{yfp] -|- 1 are 
invertible, which holds as soon as p > 11. 

Then, for all i = l,...,g, to deduce Uip-i from Up-ij we need to divide 
by f^~^{ip — 1)!. The element /g is a unit in Ox, so the only problem comes 
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from the factorial term. With our assumption that g < p, we have i < p and 
then the p-adic valuation of (ip — 1)! is exactly i — 1. Therefore the worst case is 
i = g, for which we have to divide by p^~^. Hence computing the vectors Vip-i 
modulo p® is enough to know the vectors Uip-i modulo p, and then to deduce 
the Hasse-Witt matrix. 

Overall complexity. Storing an element of Ok/p^Ok requires 0(dglog(p)) 
bits, and multiplying two such elements can be done with 0(M(d(7log(p))) bit- 
operations. From the results of Section 3, we then deduce the following theorem 
on the complexity of computing the Hasse-Witt matrix. 

Theorem 3 Let p a prime, d > 1 and C a hyperelliptic curve defined over F^d 
by the equation y^ = f(x), with f of degree 2g + 1. Then, assuming g < p, one 
can compute the Hasse-Witt matrix of C with a complexity of 

O ((ff‘^’^^v^ + /M(7^)log(p)) M(dglog(p))) 

bit- operations and O (dg^,Jp log(p)) storage. 

The matrix H by itself gives some information on the curve C, for instance 
H is invertible if and only if the Jacobian of C is ordinary [33, Corollary 2.3]. 
However, as stated in Theorem 2, the matrix and in particular its char- 
acteristic polynomial x(t) tell much more and are required if the final goal is 
point-counting. Thus, we finally concentrate on the cost of computing the char- 
acteristic polynomial of iF^. 

The matrix is the “norm” of H and as such can be computed with a 
binary powering algorithm. For simplicity, we assume that d is a power of 2, 
then denoting 

we have 

FF^,i+i = FF^,i-(FF,,i)('’'‘) . 

Hence the computation of from costs one matrix multiplication 

and 2* matrix conjugations. A matrix conjugation consists in raising all the 
entries to the power p, therefore it costs 0(g'^log(p)) operations in F^d. The 
matrix we need to compute is = FJ,r,iog 2 (d) • Hence the cost of computing is 

0{dg^\og(p)+g^\og(d)) 

operations in F^d. The general case where d is not a power of 2 is handled by 
adjusting the recursive step according to the binary expansion of d and yields 
the same complexity up to a constant factor. 

The cost of the characteristic polynomial computation is bounded by the cost 
of a matrix multiplication [19] and is therefore negligible compared to the other 
costs. 

If we are interested only in the complexity in p and d, i.e. if we assume that 
the genus is fixed, we get a time complexity for computing x(t) mod p in 

O ((M(ytfi) -k d) M(dlog(p)) log(p)) . 
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Case of large genus. In case of large genus, the algorithm of Theorem 1 is 
asymptotically not the fastest. In this paragraph, we assume that the function M 
is essentially linear and we do not take into account the logarithmic factors; 
adding appropriate epsilons in the exponents would yield a rigorous analysis. 
The cost in bit-operations of Theorem 3 is at least whereas the cost of 

the naive algorithm is linear in gpd. li g > p^^^, then g^^/p > gp, and therefore 
the naive algorithm is faster. 

5 Point-Counting Numerical Example 

We have implemented our algorithm using Shoup’s NTL C-I--I- library [26]. NTL 
does not provide any arithmetic of local fields or rings, but allows to work in 
finite extensions of rings of the form Z/p®Z, as long as no division by p occur; 
the divisions by p are well isolated in the algorithm, so we could handle them 
separately. Furthermore, NTL multiplies polynomials defined over this kind of 
structure using an asymptotically fast FFT-based algorithm. 

To illustrate that our method can be used as a tool in point-counting al- 
gorithms, we have computed the Zeta function of a (randomly chosen) genus 2 
curve defined over F^a, with p = 2^^ — 5. Such a Jacobian has therefore about 
2^®^ elements and should be suitable for cryptographic use if the group order 
has a large prime factor. Note that previous computations were limited to p of 
order 2^^ [21]. 

The characteristic polynomial y of the Frobenius endomorphism was com- 
puted modulo p in 3 hours and 41 minutes, using 1 GB of memory, on an AMD 
Athlon MP 2200-I-. Then we used the Schoof-like algorithms of [13] and [14] to 
compute X modulo 128 x 9 x 5 x 7, and finally we used the modified baby-step 
/ giant-step algorithm of [21] to finish the computation. These other parts were 
implemented in Magma [5] and were performed in about 15 days of computation 
on an Alpha EV67 at 667 MHz. We stress that this computation was meant as an 
illustration of the possible use of our method, so little time was spent optimizing 
our code. In particular, the Schoof-like part and the final baby-step / giant-step 
computations are done using a generic code that is not optimized for extension 
fields. 



Numerical data. The irreducible polynomial P{t) that was used to define FpS 
as ¥p[t]/{P{t)) is 

+ 1346614179*2 3515519304* -k 3426487663. 

The curve C has equation = f{x) where / is given by 

f{x) =x^ + (2697017539*2 -k 1482222818* -k 3214703725)a;3-k 
(676673546*2 -k 3607548185* -k 1833957986)a;2-k 
(1596634951*2 -k 3203023469* -k 2440208439)x-k 
2994361233*2 -k 3327339023* -k 862341251. 
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Then the polynomial characteristic x(T) of the Frobenius endomorphism is given 
by — siT^ + S 2 T^ — p^s\T + p®, where 

Si = 332906835893875, S2 = 142011235215638946167187570235. 

The group order of the Jacobian is then 

6277101691541605395917785080771825883860189465813625993977 
= 3 ® X 13 X 67 X 639679 x 417268068727536370810010172344236025455933953139 . 

This number has a large prime factor of size 2^®®, therefore that curve is 
cryptographically secure. 



Measure of the complexity in p. To check the practical asymptotic be- 
haviour of our algorithm, we ran our implementation on a genus 2 curve defined 
over Fp3 with p = 2®^ — 41. We performed only the Cartier-Manin step, and not 
the full point-counting algorithm. As the characteristic is about 4 times larger 
than in the previous example, a complexity linear in ^/p means a runtime multi- 
plied by about 2. On the same computer, the runtime is 8 hours and 48 minutes. 
Hence the ratio of the runtimes is about 2.39. The defect of linearity can be 
explained by taking into account the logarithmic factors. Assuming that M(n) is 
0(nlog(n) log(log(n))), and neglecting the multi-logarithmic factors, the com- 
plexity announced in Theorem 3 is in 0(Y^(log(p))®). With this estimate, the 
expected ratio between the runtimes becomes about 2.40, that is very close to 
the measure. This validates our analysis. 



6 Conclusion 

In this paper, we have presented an improvement of an algorithm by Chudnovsky 
and Chudnovsky to compute selected terms in a linear sequence with polynomial 
coefficients. This algorithm is then applied to the computation of the Cartier- 
Manin operator of hyperelliptic curves, thus leading to improvements in the 
point-counting problems that occur in cryptography. 

This strategy extends readily to curves of the form y’’ = f{x) with r > 2, for 
which the Hasse-Witt matrix has a similar form. For more general curves, Mike 
Zieve pointed to us the work of Stohr and Voloch [28] that gives formulas that 
still fit in our context in some cases. 

Finally, Mike Zieve pointed out to us the work of Wan [32] that relates Nieder- 
reiter’s polynomial factorization algorithm to the computation of the Cartier- 
Manin operator of some variety. The link with our work is not immediate, as 
that variety has dimension zero. Nevertheless, this remains intriguing, especially 
if we think of Pollard-Strassen’s integer factoring algorithm as a particular case 
of Chudnovsky and Chudnovsky’s algorithm. 
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Abstract. In a recent paper, Tsaban and Vishne [4] introduce linear 
transformation shift registers (TSRs) which generate sequences by an 
entire word with each iteration. The authors recently [1] proved that over 
F 2 , irreducible TSRs occur in pairs. Now the results are generalized and 
extended for arbitrary finite fields. This aids in the search for irreducible 
TSRs. 



1 Introduction 

Linear feedback shift registers (LFSRs) play an important role in engineering 
for the implementation of sequences over finite fields; see Golomb [3]. LFSRs 
generate a single bit with each iteration. Recently, Tsaban and Vishne [4] intro- 
duced linear transformation shift registers (TSRs) which produce an entire word 
with each iteration by utilizing word-oriented operations. A linear transforma- 
tion of order m (the word size) is combined with a LFSR of order n to create the 
TSR over the finite field Fg. For certain choices, the resulting TSR has primitive 
characteristic polynomial, and hence maximal order g™” — 1. Finding irreducible 
TSRs is the first step towards finding primitive TSRs. 

In a recent paper [1], the authors note the existence of pairs of character- 
istic polynomials of LFSRs that have the same irreducibility behavior for all 
possible transformations that form TSRs over F 2 . All LFSRs with characteristic 
polynomial divisible by a: -I- 1 exhibit this property. A simple formula allows the 
computation of the pair of such a LFSR. The individual factors of the LFSRs, 
along with the order n, determine the pair. 

This phenomenon is now generalized and expanded over Fg. A much richer 
pairing and (g — l)-tupling pattern emerges. Several nuances appear which are 
masked in the F 2 case. Every LFSR is a member of a (g — l)-tuple and those with 
linear factors are also paired in other, more interesting ways. Explicit formulas 
are given for the calculation of pairs and (g — l)-tuples and the development 
as n grows is explored. Finally, the role of individual divisors of the LFSRs 
is examined. Several examples of this pattern are provided. Computationally, 
this allows for time savings in the search for irreducible TSRs. However, the 
applications of TSRs and their pairs are not the focus of this article. Please refer 
to [4] and [1] for such explanations. 

* The first author was supported by an NSERC Undergraduate Student Research 
Award. The second author was supported by NSERC under grant number 238757. 
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2 Preliminaries 

A sequence so> si, • . . , of elements from satisfies a linear feedback shift register 
(LFSR) S = (ag, ai, . . . , a„_i), ag ^ 0, of order n if 

Sn+t = QoSi + OlSt +1 + • • • + 

for all t = 0,1) We associate S with the polynomial /s(x) = + 

h oq. Unless otherwise specified, fs is assumed to always have degree strictly 

less than n in this paper. These LFSRs generate a single new element with each 
iteration. 

Tsaban and Vishne describe a transformation shift register (TSR) which gen- 
erates an entire word of m elements of with each iteration. For the n words 
vg,vi, , Vn-1 and for linear transformation T of order m, 

v„ = T(agVg + aiVi -I- • • • -I- a„_iv„_i). 

Scalar multiplication and vector addition are used in this computation. We now 
cite some important results about TSRs. 

Proposition 1. (3.1 in [4]) Let T he a linear transformation o/F™ with char- 
acteristic polynomial frix), and S = (oo, oi, . . . , a„_i) G F 2 ,oo yf 0. Then the 
characteristic polynomial of the TSR (T, S) is 

fe,W = AW’"/r(^)- 

The TSR has a maximal period of g™" — 1 if, and only if, its characteristic 
polynomial is primitive. 

Proposition 2. (4.1 in [4]) Let F^m he the splitting field of fxix). Let a he 
a root of frix) in F^m. Then f{T,s)(x) is irreducible over F^ if, and only if, 
x" — afs{x) is irreducihle over¥qm. 

In an earlier paper [1], the authors investigated pairs of LFSRs. The LFSRs 
Si and S 2 form a pair whenever they form irreducible TSRs with exactly the 
same linear transformations frix). The corresponding polynomials fs^ and /sj 
are also said to be a pair. It was further shown that over F 2 , the polynomial 
fsi (x) is paired with 

/s,(x) := (x-k l)"/sj ■ 

Furthermore, as the order of the LFSR increases to n' = n -I- t, we have (x -\- 
lyfsiix) is paired with (a; -I- fs^ix). Finally, if 

/Si(x) = 

then 

fs, (x) = {X+ I)"-“0-ai degpi — .-a. degp„^ai 
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where qi{x) = (a; + ■ In this paper we generalize these results to 

Finally, we also require linear fractional transformations as described by 
Fitzgerald [2]. For 



M = 



a b 
c d 



G GL{2, q), 



we define 



cx + d 

M ■ f{x) = (cx + d)^ f(M ■ x) where k = deg /. 

We note that this is an inverse action since N ■ (M ■ f) = (MN) ■ f. 

3 Pairing of LFSRs over Fq 

Pairing of LFSRs is found by computing TSRs for many LFSRs and linear 
transformations, and by checking for irreducibility and primitivity. Examples of 
this kind of test are given in Tables 1, 2, and 3. Irreducible linear transformations 
of orders m = 2 over F5 are listed in Table 1. The coefficients of the characteristic 
polynomials are listed with the least significant coefficient on the left. Hence, 
the eighth entry represents 4 + 3x + x"^ . Table 2 lists all LFSRs of order n = 2 
over F5 in a similar fashion, and indicates which linear transformations produce 
irreducible (‘I’) TSRs. If the resulting TSR is also primitive, a ‘P’ replaces the 
‘F. The numbers at the top of each column refer to the linear transformations 
in Table 1. Table 3 is similar, though it lists all LFSRs of order n = 3. 

Note that many rows have non-blank entries (I or P) in the same coordinates. 
For example, rows 5, 12, 16, and 17 of Table 2 and rows 5, 8, 18, 19, 33, 51, 70, 
and 96 of Table 3. This phenomenon is mathematically justified in the following 
subsections. 

3.1 Pairing of LFSRs of Fixed Order 

Let fs be the polynomial associated with the LFSR S. The next theorem shows 
that every fs is paired with each polynomial in a set of order q — I (called a 
trivial pairing) as well as being paired with one polynomial for each distinct 
linear factor of fs (called a non-trivial pairing). A polynomial trivially paired 
with one non-trivially paired with fs is itself non-trivially paired with fs- 

Theorem 1. Over F^, the polynomial fs(x) with degree < n is paired with 
(cx + d)^fs ^ where d G F* and c = 0 (a trivial pair) or 1/c is a root of 

fs(x) (a non-trivial pair). 
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Table 1. Characteristic Polynomials of Irreducible Transformations of Degree 
over Fs 



1 


201 


6 


421 


2 


301 


7 


331 


3 


111 


8 


431 


4 


211 


9 


141 


5 


321 


10 


241 



Table 2. Irreducibility/Primitivity of TSRs for n — 2 over F 5 





1 X 


123456789 10 


1 


1 0 


I I P P P P 


2 


2 0 


I I P P P P 


3 


3 0 


I I P P P P 


4 


4 0 


I I P P P P 


5 


1 1 


I I P P I I 


6 


2 1 


I I P I IP 


7 


3 1 


I IP P I I 


8 


4 1 


I I P I I P 


9 


1 2 


I I P I I P 


10 


2 2 


I IP P I I 


11 


3 2 


I I P I IP 


12 


4 2 


I I P P I I 


13 


1 3 


I I P I I P 


14 


2 3 


I IP P I I 


15 


3 3 


I I P I IP 


16 


4 3 


I I P P I I 


17 


1 4 


I I P P I I 


18 


2 4 


I I P I IP 


19 


3 4 


I IP P I I 


20 


4 4 


I I P I I P 
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Table 3. Irreducibility/Primitivity of TSRs for n — 3 over F 5 




2 3 1 P P P 
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Proof. Let a € F^m be a root of an irreducible polynomial fr of degree m, and 
suppose x” — afs{x) is reducible over F^m with root j3 G F„mfc, k < n. For 



M = 



1 0 
c d 

and we have 



, d yf 0, the inverse of M exists. Define S = M ^ ■ (3. Then (3 = M ■ 5 



/3" - afsW) = (M • d)” - afs{M • d) = 0. 



Therefore, 

Hence x” — a(cx + df'^fs is reducible. 

Similarly, suppose x" — a{cx + d)'^fs has a root 7 G F,^mfc, k < n. 

Define /i = M • 7 . Then since 7 cannot be —d/c, we have the both equalities: 

7"-o(c7 + <i)"/s(^)= 0 , 

(g^) 

Thus x” — afs(x) is irreducible iff x” — a(cx + df'^fs ( 7 ,^) is irreducible. 

It remains to show that (cx+d )”/5 corresponds to a legitimate LFSR 

of order n by showing that zero is not a root and it has degree strictly less than 
n. The first fact follows easily from /s(0) yf 0 and d yf 0 since 

n 

= ^ QiX^{cX + d)”“* 
i =0 

= Ood" yf 0. 

h aic”“^ + Ooc”) 

polynomial of degree < n} 

+ {some polynomial of degree < n}. 



(cx + d)"^fs 
(cO + d)”/s 



cx + d 
0 

cO + d 



The second fact follows from 

X 



(cx + d)”/s 



cx - 



= x”(a„_ic + 



= x"c”/ 



+ {some 

T 



The x" term disappears whenever c is as specified. 
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The trivial case c = 0 always occurs. Every LFSR fs is paired with every 
member of the (g — l)-tuple {d"/s(f ) : d G F*}. Since 

/<«>« = *<*>"*(/£)) 

is the characteristic polynomial of a TSR involving fs, the family of TSRs of 
the trivial (g — l)-tuple is found by direct substitution 

/(Vs>(^) = rf'””/(T.5> (^). 

More generally, the family of TSRs of all pairs of fs is also found by substi- 
tution 



= M ■ f{T,S){x), 

where c and d are as specified in Theorem 1. 

An example of a trivial (g — l)-tuple is lines 33, 51, 70, and 96 of Table 3. 
The thirty-third LFSR of Table 3 is fs^ = 1 -I- 3a; -I- For n = 3 and c = 0, 

fs^ = d^ + "idfx + dx^. Hence, 

f S2 — 3 -t- 2x -t- 2x 
/Ss = 2 -t- 2x -t- 3x^ 

/S 4 = 4-b3x-b4x^, 

and these are the LFSRs in rows 51, 70, and 96. A non-trivial pair of the fifty-first 
LFSR of Table 3 is 

fs, = (3x + 2)3/s. 

= 3(3x -b 2f + 2(3x -b 2)^x -b 2(3x -b 2)x^ 

= 4 -b X 

which is the eighth row of that table. We already noted these are paired in 
the comment before Subsection 3.1. The other pairs may be found in a similar 
fashion. 

All of these examples of paired fs have the extra property that f(T,Si) is 
primitive if and only if /(t,S 2 > i® primitive. This does not hold in general. For an 
example, refer to lines 5 and 23 from Table V of [1]. 
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3.2 Pairing of LFSRs as the Order Varies 

The pairs of fs^ for order n determine the pairs of larger order n+t. The previous 
theorem tells us that for fs^ = (cx + d)"/si > 



— afsi (x) is irreducible, 
x”+* -a{cx + d)"+Vsi 



d 



is irreducible, 



x”'*'* — a{cx + dYfs 2 {x) is irreducible. 

That is, we have the following theorem. 

Theorem 2. The LFSR fsi(x) is paired with (cx + d)* fs 2 (x) for LFSR order 
nf = n + t. 

For example, since for n = 3, fs 2 = 3 + 2x + 2x^ S IP's [a;] has non-trivial pair 



fs, = (3x + 2)3 /s. 



3x T 2 



= 4 + X, 



Theorem 2 implies that for n = 5, fs 2 has pair 

(3x + 2 ) 2 /s 5 = (3x + 2)2(4 + x) = 1 + 2x + 3x2 + 4 ^ 3 ^ 



3.3 Factors of the Polynomial Pairs 

Pairs of LFSRs can be determined by examining the individual factors of the 
polynomials fsi(x) = p“^(x) • • •p“’'(x), where the pi are irreducible over Fg. 
Quite simply, the pair of fs^ (x) is 

fcM = (cx+d)>r (^) ■■ K' (^) 

= (cx + degpi-..-a,degp.^ai . ^a,. 

where qi{x) = (cx + is the pair of pi. 

That is, fsi may be factored, the individual divisors replaced with their pairs 
and then an appropriate power of (cx + d) inserted. This yields fs 2 - 
In particular, the linear polynomial p(x) = x — 1/c has pair 



Hence, the degree of the pair of the composite /s(x) having p(x) = x — 1/c as a 
factor will have degree less than n. All other (monic) irreducible factors Pi will 
have pair pi of the same degree. 




Mutual Irreducibility of Certain Polinomials 



67 



For example, consider the polynomial 

fs{x) = X® + + 2a; + 6 

= (a;^ + 6a;^ + 5a; + 3)(x^ + 2)(x + 1) over Fy. 



For c = 6 and n = 7, it has pairs for all 1 < d < 6, 

fSd(x) = (6a; + d)(4x^ + bdx^ + ScFx + 3d^)(3a;^ + Mx + 2d?){d) 
= 2dx® + Qd^x^ + 2d^x"^ + Ad^x^ + 6d®a;^ + 2d® a; + Gd"^. 



Whence 



/si (x) = 2x® + 6a;® + 2a;^ + 4x® + 6x^ + 2a; + 6 
fs 2 (x) = 4a;® + 3x® + 2a;^ + a;® + 3x^ + 2x + 5 
/sj (a;) = 6a;® + 5x® + 5a;^ + 2x® + 2x^ + 2a; + 4 
fSd (x) = a;® + 5a;® + 2x^ + 2a;® + 5a;^ + 2x + 3 
fs^ (x) = 3x® + 3x® + 5a;^ + a;® + 4x^ + 2a; + 2 
fse (x) = 5x® + 6a;® + 5a;^ + 4x® + a;^ + 2x + 1 



form & {q — l)-tuple which are trivially related to each other, but individually, 
each of them is a non-trivial pair of fs- 

4 Conclusion 

Further examination of tables similar to those provided here may yield new 
interesting results. Perhaps different linear fractional transformations, say for 
6 yf 0, of the LFSRs lead to other connections. 

In his paper, Fitzgerald [2] counts the number of polynomials which remain 
invariant under the action of the matrix M . His techniques are not immediately 
applicable in our case because (ca; + d)”/s^ M ■ fs^ as n > deg fs^- As 

well, when considering the characteristic polynomial /(t,s) of the TSR and its 
pair f'^rp = M ■ f{T,s) > not all transformations M are applied to all polynomials 
/ of degree mn. M is only applied to those polynomials which represent a TSR. 
That is, an application of Fitzgerald’s methods here would count extraneous 
invariant polynomials. An example of such an invariant polynomial is /s = x‘^ — 1 
for q = 5, n = 5. Tables (similar to 2 and 3) containing examples of invariant 
polynomials were not provided as they would be too large or too simple. For 
instance, if 1/c is a root of invariant fs, then 

fs{x) = {cx + l)”/s • 

Plugging in 1/c shows that l/(2c) is also a root (unless p, the characteristic, 
equals 2). Plugging in l/(2c) shows that l/(3c) is a root and so on. Thus fs 
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has roots l/(fcc) for 1 < fc < p. In particular, deg fs > p — I- An explicit 
characterization of these invariant fs would be helpful. 

Nevertheless, transformation shift registers may be found efficiently by tar- 
geting LFSRs with linear factors (and hence non-trivial pairs). Multiple irre- 
ducible TSRs are thus found for the computational price of one. 

Acknowledgement. The authors wish to thank the referee for a careful reading 
of the manuscript and many helpful comments which improved the clarity of this 
paper. 
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Abstract. The relationship between two concepts measnring structnral 
properties of pseudorandom numbers, namely the linear complexity pro- 
file and the lattice profile, is investigated. In particular an explicit for- 
mula expressing the lattice profile in terms of the linear complexity profile 
(and vice versa) can be provided once the interrelation is known in cer- 
tain points. Moreover an intrinsic characterization of lattice profiles is 
established. 



1 Introduction and Basic Facts 

Pseudorandom numbers (PRN) generated by linear congruences as introduced 
by Lehmer [ 8 ], though still very popular and widely used, comprise severe defi- 
ciencies that make them improper in many applications as for instance in quasi- 
Monte Carlo methods (cf. [12]). One particularly undesirable feature of these 
PRN is their coarse lattice structure. Marsaglia [9] proposed a lattice test for 
arbitrary nonlinear congruential generators modulo a prime. This test was in- 
vestigated and enhanced by several authors, e. g., [5, 15-17]. 

Recently, in joint work with A. Winterhof [2,3], we extended a generalized 
version of Marsaglia’s lattice test for sequences over finite fields to segments of 
sequences (? 7 „) over an arbitrary field K: For given s > 0 and N > 2 we say that 
(t 7 „) passes the s-dimensional N -lattice test if the vectors { 77 ^ ~ ^0 ^ 1 ^ — 

N — s} span K®, where 

In = i.'nn,rin+l, ■ ■ . Q < U < N - S. 

If {r]n) passes the s-dimensional fV-lattice test then it passes all s'-dimensional 
A^-lattice tests for s' < s and if (? 7 „) fails the s-dimensional A^-lattice test then 
it fails all s'-dimensional A-lattice tests for s' > s. The greatest s such that (? 7 „) 
satisfies the s-dimensional A^-lattice test is called the Nth lattice level of (? 7 „) 
(or the lattice profile of (rjn) at N) and is denoted by S{{r]n), N). Additionally 
we define S{{r]n),0) = S'((t 7 „), 1 ) := 0. The sequence {S{{r]n), N))n>q is called 
the lattice profile of (rjn)- 

Another quality measure appraising the intrinsic structure of PRN is given 
by the linear complexity: The Nth linear complexity L{{rin),N), N > 1, is the 
least order L of a linear recurrence relation over K 

? 7 „+l = aoVn + aipn-ei + ■ • ■ + 0<n<iV-T-l, 

G. Mullen, A. Poll and H. Stichtenoth (Eds.): Fq7 2003, LNCS 2948, pp. 69-78, 2003. 
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which is satisfied by the first N terms of (? 7 „) (with the additional conventions 
that L{{r]n),N) = 0 if the first N terms of (t 7 „) are all 0 and L{{r]n),N) = N ii the 
first N —1 terms are 0 and the A^th term of (? 7 „) is nonzero). Moreover we define 
L((?7„),0) := 0. The linear complexity profile is the sequence (L((t 7„), fV))Ar>o 
and the linear complexity L{r]„) is defined as 

L{j]n) = sup L((?7^), A^). 

N>2 

The linear complexity and the linear complexity profile are important crypto- 
graphic characteristics of sequences (see e. g. [1, 11, 19]). A low linear complexity 
of a generator has turned out to be undesirable for more traditional applications 
in Monte Carlo methods as well (see e.g. [6, 12-14]). 

In the following we will use a more compact notation and mostly write L{N) 
and S{N) instead of L{{r]n),N) and S{{r]n),N), respectively, when it is not nec- 
essary to stress the role of a particular sequence (t 7 „) and merely the properties 
of S and L as functions in N are of interest. 

In the remaining part of Sect. 1 we will recall some results on the linear 
complexity and the lattice profile which will be used later on. 

The following proposition (cf. [7, Theorem 6.7.4], [10], or [18]) describes the 
step-growth of the linear complexity profile. 

Proposition 1. (i) If L{N) > N/2 then 

L{N+l) = L{N). 

(ii) If L{N) < N/2, then 

L{N+l) = L{N) or L{N + 1) = N + I - L{N). 

Next we list some basic properties of the lattice profile ([2, Proposition 4]). 

Proposition 2. (i) S{N) < S{N -I- 1) < S{N) + 1. 

(ii) S{N) < N/2. 

As the main result of [2] the following relation between lattice profile and linear 
complexity profile for arbitrary sequences is proved. 

Theorem 1. We have either 

S{N) = mm{L{N),N + 1 - L{N)} 
or 

S(N) = min{b(A), N + 1 - L{N)} - 1. 

In case L{N) = N +1 — L{N), i. e., L{N) = {N + l)/2, there is a definite value 
for S{N), namely 

S{N) = min{L{N),N +1 - L{N)} - 1 = (A^- l)/2. 

Furthermore in [2] an example is given which shows that all four possibilities 
S{N) = L{N) — 1, L{N), N — L{N), N + 1 — L{N) in Theorem 1 occur. 
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2 Relationship Between Lattice Profile and Linear 
Complexity Profile 



From the point of view of applications Theorem 1 can be interpreted as say- 
ing that the linear complexity profile and the lattice profile provide essentially 
equivalent quality measures for the intrinsic structure of a sequence. 

In this paper we continue with the objective to decide which of the four values 
in Theorem 1 is assumed by S{N) and we try to find out what is the dynamic 
behind that governs the relationship between S{N) and L{N). 

A partial result in this direction is [2, Proposition 5,6 and 10]. 

Proposition 3. If L := L{N) < N/2 and 

T]n+L = aoTjn + aiijn+i + ■ ■ ■ + aL-iijn+L-i, 0<n<N-L~l, (1) 

is the linear recurrence relation of least order satisfied by the first N terms of 
{rjn), then L{N) — 1 < S{N) < L{N) and 

S{N) = L{N) - 1 

if and only if 

oo + c«i + • ■ • + Q;l_i = 1. 

Remark 1. A sequence (? 7 „) satisfies a recurrence relation (1) with + a\ + 

. . . + ar-i = 1 if and only if every additively shifted sequence (rjn -L a), a G K, 
satisfies the same recurrence. 



Next we prove some preparatory results. 

Lemma 1. If S{N — 1) = S{N) then 

L{N) <S{N-1) + 1. 



Proof. Put s := S{N). We consider the following matrix: 



/ m-m V2- m 

V 2 -V 1 



A = 



Vn-s-1 — VN-s-2 \ 
Vn-s — Vn-s-1 



rjs - Vs-i ■ ■ ■ Vn-2 - Vn-3 

\Vs+l — Vs ••• VN-2~VN-3 VN-I—VN-2 J 



The assumption S{N — 1) = s means that the rank of the first s rows of A equals 
s, thus the first s rows of A are linearly independent. Since s = S{N) the rank 
of A is also s. Thus the last row of A is a linear combination of the first s rows 
and there exist ao, , as-i € IK such that 



Vs+l+n Vs+n — Q:o(^l-t-n Vn) “t“ . . . “t“ CXs—l{Vs+n Vs — l+n) 

for n = 0,l,...,A^ — s — 2. Rearranging the last equation to 

Vs+l+n = —CtoVn + (Q^O ~ Cll)Vn+l “L • . • “L {cts-2 ~ C(s-l)Vs-l+n + (o^s-l + l)Vs+n, 

we see that L{N) < s -|- 1 = S{N — 1) -L 1. 



□ 
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Chiefly we will use the last result in the following form. 
Lemma 2. If L{N) > {N + l)/2 then 

S{N) = S{N -1) + 1. 



Proof. L{N) > {N + l)/2 implies L{N) > S{N — 1) + 1 (due to S{N — 1) < 
{N — l)/2, Proposition 2 (ii)). By Lemma 1 we obtain S{N) > S{N — 1) and 
Proposition 2 (i) yields S{N) = S{N — 1) + 1. □ 

Lemma 3. Let N be even. If S{N — 1) = N/2 — 1 and S{N — 2) < N/2 — 1 
then S{N) = N/2. 



Proof. We consider the matrix 

/ Vi-Vo V 2 -V 1 ■■■ Vn/2 - VN/2-1 \ 

^ ^ m~vi ■■■ ■ 

\VN/2 — VN/2-1 VN-1 — VN-2 / 

Let A! denote the matrix consisting of the first N j2 — 1 rows of A and let A!' 
consist of the first N/2 — 1 columns of Af . Our assumptions can be interpreted 
as follows: 

(i) S{N — 1) = N/2 — 1 means that the rows of Af are linearly independent, 
i. e., the rank of A is N/2 — 1. 

(ii) S{N — 2) < N/2 — 1 implies detA" = 0, hence, say the z-th row of A", 
l<z<iV/2— 1, isa linear combination of the remaining rows of A' . 

Performing the corresponding row-transformation with A we obtain 



/ Z7i - Z7o Z72 - ?7i • • • f]Nl2 - VN/2-1 \ 



det A = det 



0 

\VN/2 — VNi2-l 
( Vl-TlO 



Z-th row) 



= ±a • det 



? 7 j_i - rji-2 
r]i+i - rji 



■ ■ ■ VN-1 — VN-2 j 
VN/2-1 — VN/2-2 \ 

VN/2+i-3 — VN/2+i-i 
'nN/2+i-l — VN/2+i-2 



\'>lN/2 — VN/2-1 ■ ■ ■ VN-2 — flN-3 ) 

Due to (i) we have a yf 0. The transpose of the matrix B appearing in the last 
step arises from A by deleting the z-th column which is linearly dependent from 
the remaining columns (see (ii) and note that A' is symmetric) . Thus the rank of 
B is equal to the rank of A which is N/2 — 1 and hence det B ^ 0. Consequently 
detTlyf 0andS'(A^) = iV/2. □ 
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Lemma 4. If L{N) = N/2 and S{N) = N/2 - 1 then S{N - 2) = N/2 - 1. 

Proof. If L{N) = N/2 then L{N — 1) = N/2 (Proposition 1) and S{N — 1) = 
A^/2 — 1 (second part of Theorem 1). 

Assuming S{N — 2) < N/2— 1 Lemma 3 yields S{N) = N/2, a contradiction. 
Hence S{N — 2) > N/2 — 1 and since S{N — 2) < S{N — 1) = N/2 — 1 we infer 
S'(iV - 2) = iV/2 - 1. □ 

Now we are in a position to give a full answer to the question to which extent 
the linear complexity profile determines the lattice profile. 

Theorem 2. Assume L{Ni) = N\/2, L{N 2 ) = Ni/2, N\ < Ni and there is no 
N with Ni < N < N 2 and L{N) = N/2. Then S{N) is completely determined 
by S{Ni) for all N with Ni < N < N 2 . In particular one of the following two 
cases occurs: 

1. If S{Ni) = L{Ni) then 

/ min{L(fV),fV+l-L(iV)},iVi < A^<fV2-2 
’ (IV2/2-1 iV = iV2-l 



2. If S{Ni) = L{Ni) — 1 then 

S{N) = mm{L{N),N + 1 - L{N)} - 1, Ni < N < N 2 - 1. 
Additionally in case 2. we have S{N 2 ) = N 2 / 2 . 

Proof. An immediate application of Proposition 1 to our assumptions results in 



iVi <iV< (iVi+fV2)/2-l 

^ N 2 / 2 , {Ni + N2)/2 <N <N2 

According to Theorem 1 we have either S{Ni) = Ni/2 or S{Ni) = Ni/2 — 1. 

S{Ni) = Ni/2: Since L{N) does not increase for N between Ni and (iVi + 
A^2)/2— 1, the unique (see e. g. [2, Lemma 3]) linear recurrence relation of minimal 
length satisfied by the first N terms of (rjn) persists for N G [A^i, (A^i+iV2)/2 — 1]. 
Due to Proposition 3 also S{N) is constant in this interval. For N G [(iVi + 
N2)/2,N2 — 2] Lemma 2 ensures that S{N) increases by 1 in each step. This 
matches exactly with the provided formula. For N = N 2 — 1 we have L{N) = 
{N + l)/2 and thus S{N) = (N — l)/2 follows by the second part of Theorem 1. 

S{Ni) = Ni/2 — 1: For A^i < Af < iV 2 — 1 the same arguments as in the 
first case apply. It remains to prove S{N 2 ) = N 2 / 2 . Since L{N 2 ) = N 2/2 we 
have either S{N 2 ) = N 2/2 or S{N 2 ) = N 2/2 — I (Theorem I). Assume S{N 2 ) = 
A^2/2 — 1, then Lemma 4 implies S{N 2 — 2) = A^2/2 — 1. However, we have already 
proved that S{N 2 — 2) = min{Al 2 — 2, A ”2 — 2 + 1 — A^ 2 / 2 } — 1 = N 2/2 — 2, a 
contradiction. □ 
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Corollary 1. Let {L{N))i\[>q be the linear complexity profile of some sequence 
and No = 0 < Ni < N 2 ■ ■ ■ the sequence of all K with L{K) = i^/2. Then the 
lattice profile (S'(-/V))at>o of this sequence can he computed from (L{N))n>o Pro- 
vided the values S{Ni) G {L{Ni), L{Ni) — l} are known for all i > 1. These values 
obey the following relation: If S{Nf) = L{Ni) — 1 for some i then S{Ni+i) = 
W+i). 



Proof. The corollary follows immediately from Theorem 2 for all N with N < 
for some i. If there is a largest K with L{K) = Kj2 then L{N) = Kj2 for all 
N > K and thus S{N) = S{K) by Proposition 3. □ 



In the following figures the progression of L{N) and S{N) for Ni < N < N 2 in 
case 1. and 2. is demonstrated. 



Ad 1.: 



~ S(N) 

G — O L{N) 




IVi 



iVl+iV2 

2 



N 



N2 



Ad 2.: 
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In case 1. we indicated by the question mark that there are two possible values 
for S{N 2 ), namely N 2/2 or N 2 I 2 — 1. The following examples show that both 
cases occur. 

Example 1. 1. We consider the sequence 

(? 7 „) = ( 0 , 1 , 1 , 0 ,- 1 , 0 , 2 , 2 ). 



The first 5 terms fulfill the relation ? 7 ri +2 = — ?7n + rjn+i, the whole sequence 
satisfies rjn +4 = rjn — rjn+2 + Vn+3 and we obtain the following values for L 
and S: 



N 


2 


3 


4 


5 


6 


7 


8 


L{N) 


2 




T 


Y 


Y 


Y 


Y 


S(N) 


1 


T 


~2 


Y 


Y 


Y 


Y 



With iVi = 4 and N 2 = 8 we have S{Ni) = L{Ni) and S{N 2 ) = L{N 2 ) — 1. 
2. We consider the sequence 



(??„) = ( 0 , 1 , 1 , 0 , - 1 , 0 , 1 , 1 ). 



The only thing changed in comparison to the example before is that the 
whole sequence now satisfies rjn+A = rjn — Vn+i and we obtain 



N 


2 


3 


4 


5 


6 


7 


8 


L{N) 


2 


Y 


Y 


Y 


Y 


Y 


Y 


S{N) 


1 


Y 


Y 


Y 


Y 


Y 


Y 



So in this case we have S{Ni) = L{Ni) and S{N 2 ) = L{N 2 ). 

We point out another consequence of Theorem 2 which will turn out as an 
important feature of the lattice profile. 
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Corollary 2. Let {S{N))n>q be the lattice profile of a sequence and N\ < N 2 
two consecutive numbers K with the property S{K) = K/2. Then we have for 
allNe [7Vi,A^2] 

S{N) = max{iVi/2, N - N 2 / 2 }. 

Proof. The assertion follows directly from Lemma 4 and Theorem 2 if one consid- 
ers the two possible cases occurring there and how these cases can be connected. 

□ 

In other words Corollary 2 means: when the lattice profile S{N) starts to in- 
crease, it steadily increases until it meets the upper bound N/2. 

Conversely to what we stated in Theorem 2 we can also compute the linear 
complexity profile in terms of the lattice profile. 

Theorem 3. Suppose S{Ni) = Nif2, S{N 2 ) = N 2 / 2 , Ni < N 2 , and there is no 
N with Ni < N < N 2 and S{N) = N/2. Then L{N) is completely determined 
by S{N 2 ) for all N\ < N < N 2 . In particular, one of the following holds true: 

1. If L{N 2 ) = S{N 2 ) then 

rr/vi-J ^ 1/2 + 1 , N^<N <{N^ + N2)/2 

\N2/2, {Ni + N2)/2<N <N2 

2. If L{N 2 ) = S{N 2 ) + 1 then 

fVi<iV<(iVi+iV2)/2 
\fV2/2 + l, (A^i+iV2)/2< Af<7V2 

Additionally we have L{Ni) = Ni/2 in the second case. In the first case L(Ni) 
is either Ni/2 or iVi/2 -|- 1. 

The proof utilizes Theorem 2 and some basic properties of the linear complex- 
ity/lattice profile and is omitted here. 

3 Intrinsic Description of Lattice Profiles 

We have proved several properties of the lattice profile of a sequence. Now we 
show that some of them characterize lattice profiles among all functions on the 
nonnegative integers Nq. 

Theorem 4. Let S' : Nq ^ Nq be a function on the nonnegative integers. Then 
S{N) is the lattice profile N) of some sequence (rjn) in the field K if and 

only if 

(i) S{N) < N/2, 

(ii) S{N) < S{N -h 1) < S{N) + 1, 

(iii) if s = S{N) < S{N + 1) then 



S{N -h 1) < . . . < S{2{N -s)) = N-s. 
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Proof. Proposition 2 and Corollary 2 show that the conditions (i)-(iii) are nec- 
essary. 

Now we show the sufficiency, (i) implies that 5(0) = 5(1) = 0 and 5(2) < 1. 
We choose r/i = rjo if 5(2) = 0 and rji yf rjo if 5(2) = 1, respectively. Now 
suppose r]o, . . . ,riN-i have been chosen and 5((r?„),z) = 5(z) for 0 < z < TV. 
If S{N) = N/2 then by (i) and (ii) S{N -|- 1) = N/2 and whatever is 
we obtain S{{rjn),N -|- 1) = S{N + 1). Also, if S{N — 1) < S{N) < N/2 we 
can choose t]n arbitrarily to result in S{N -|- 1) = S{N) + 1 (by (iii)) and 
5((z7„),iV + 1) = 5((z?„),7V) + 1 (by Corollary 2). 

Thus we may assume that S{N— 1) = S{N) =: s < N/2 and we have to show 
that we can choose zyjv such that S{{r]n),N -L 1) = s or S{{r]n),N + 1) = s-L 1: If 
s = 0 then rjo = ... = and obviously can be chosen properly. For s > 0 

we consider the (s -L 1) x {N — s) matrix 



f Vi ~ Vo V2 — Vi ' ' ' Vn-s-1 — VN-s-2 Vn-s — VN-s-1 \ 



A = 



m - Vi 



I Vs — Vs-1 • • • VN-2 — VN-3 VN-1 — VN-2 I 

\vs+l — Vs ■ ■ ■ VN-I—VN -2 VN—VN -1 ) 



Firstly we focus on the first s rows of A and denote this matrix with B. Since 
S{{r]n),N) = s the rank of B is s, due to S{{rjn),N — 1) = s the last column of 
B is a linear combination of the first iV — s — 1 columns. This means that among 
the first N — s — 1 columns of B there are s which are linearly independent, say 
those with indices zi, . . . , Zg. 

Now let C be the matrix consisting of the columns of A with indices zi, . . . , Zg 
and N — s, i- e., C is a (s -L 1) x (s -L 1) matrix. We compute det C by means of 
expansion by minors with the last column and obtain 



det C = {r]N - VN-i)a + /3, 



where a yf 0 and a, j3 only depend on 770 , ■ • ■ , z/at-i and not on riN- Thus for 
all but one choice of tjn we have det C yf 0 so that the rank of A is s -L 1 and 
consequently S{{r]n),N -L 1) = s -L 1. 

On the other hand consider the first N — s — 1 columns of A. S{{r]n), N — 1) = 
5((z7„), N) = s means that the last row of this matrix is a linear combination of 
the first s rows. So by choosing 77 at accordingly, also the last row of A depends 
on the first 5 rows of A and for this choice of rj^ we have S{{r]n),N -L 1) = s. 
This completes the proof. □ 

In [4] the results derived here are used to compute counting functions and ex- 
pected values of the lattice profile at N for sequences in finite fields. 
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Abstract. Every symplectic spread of PG{3,q), or equivalently every 
ovoid of Q(4, q), is shown to give a certain family of permutation poly- 
nomials of GF{q) and conversely. This leads to an algebraic proof of 
the existence of the Tits-Liineburg spread of and the Ree-Tits 

spread of W (3^^^^), as well as to a new family of low-degree permutation 
polynomials over GF(3^^"*"^). 



Let PG{3,q) denote the projective space of three dimensions over GF{q). A 
spread of PG{3, q) is a partition of the points of the space into lines. A spread 
is called symplectic if every line of the spread is totally isotropic with respect 
to a fixed non-degenerate alternating form. Explicitly, the points of PG{3,q) 
are equivalence classes of nonzero vectors (xo,xi,X 2 ,X 3 ) over GF{q) modulo 
multiplication by GF{q)* . Since all non-degenerate alternating forms on PG(3, q) 
are equivalent (cf. [9, p. 587] or [12, p. 69]), we may use the form 

((a;o,a;i,a;2,X3), (yo, 2/i, 1/2, ys)) = - x^yo - Xiy2 + yiX2- (1) 

Then a symplectic spread is a partition of the points of PG{3, q) into lines such 
that (P, Q) = 0 for any points P, Q lying on the same line of the spread. 

Symplectic spreads are equivalent to other objects. A symplectic spread is 
a spread of the generalised quadrangle W{q) (sometimes denoted as Sp{A,q)), 
whose points are the points of PG(3, q) and whose lines are the totally isotropic 
lines with respect to a non-degenerate alternating form. By the Klein corre- 
spondence (see for example [4], [12, pp. 189] or [15]), a spread of W{q) gives 
an ovoid of the generalised quadrangle Q{A,q) (sometimes denoted 0(5, (/)) and 
vice-versa. 

Let 5 be a spread of PG(3, q). There are q^ + q^ + q+l points in PG(3, q), 
and each line contains g-|-l points. Since 5 is a partition of the points of PG(3, q) 
into lines, it contains exactly q^ + \ lines. The group PGL{4:, q) acts transitively 

* Supported in part by the Ministerio de Ciencia y Tecnologia, Espana. 
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(c) Springer- Verlag Berlin Heidelberg 2003 




80 



Simeon Ball and Michael Zieve 



on the lines of PG{3,q), so let us assume that S contains the line loo, which we 
define as 

(( 0 , 0 , 0 , 1 ), ( 0 , 0 , 1 , 0 )). 

The plane Xq = 0 contains loo, so each of the other lines of the spread contains 
precisely one of the q^ points {((0, 1, x, y)) | G GF{q)}. The plane Xi = 0 
also contains loo, so the other q"^ lines of the spread are given by two functions 
/ and g such that 

S = loo^ {{{0,l,x,y),{l,0,f{x,y),g{x,y)) \ x,y G GF{q)}. 

The spread condition is satisfied if and only if for each a G GF{q) the plane 
Xi = aXo is partitioned by the lines of the spread. These planes contain loo and 
meet the other lines of S in the points 

{((1, a, ax + f{x, y),ay + g{x, y))) \ x,y G GF{q)}. 

Hence the spread condition is satisfied if and only if 

(x,y) 1 -^ {ax + f{x,y),ay + g{x,y)) 

is a permutation of GF{qY for all a G GF{q). 

We are interested here in symplectic spreads. The line loo is totally isotropic 
with respect to the form (1). The other lines of the spread are totally isotropic 
with respect to the form (1) if and only if for all x and y G GF{q) 

{{^,^,x,y),{l,Q,f{x,y),g{x,y)) = -y - f{x,y) 

is zero. Hence 

S :=loo^ {{{0,l,x,y),{l,0,-y,g{x,y)) \ x,y G GF{q)} 

will be a symplectic spread if and only if 

(x,y) 1 -^ {ax -y,ay + g{x,y)) (2) 

is a permutation of GF{q)'^ for all a G GF{q). Now make the substitution b = 
ax — y to see that this is equivalent to x i— > a{ax — b) + g{x, ax — b) being a 
permutation of GF{q) for all a,b G GF{q), which is equivalent to x i— > g{x, ax — 
b) + a^x being a permutation of GF{q) for all a, 6 G GF{q). 

Although merely an observation, this fact seems not to have been noted 
before, and as we shall see it can be quite useful. So let us formulate this in a 
theorem. 

Theorem 1. The set of totally isotopic lines 

loo^ {{{0,l,x,y),{l,0,-y,g{x,y))) \ x,y G GF{q)} 
is a (symplectic) spread if and only if 

X g{x, ax — b) + afx 

is a permutation of GF{q) for all a,6 G GF{q). ■ 
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Symplectic spreads of PG(3, q) are rare. All the known examples are given 
in Table 1 which comes from [1 1] . In particular, the regular spreads are those for 
which the polynomial g(x,y) has total degree 1. The main result in [3] implies 
that when q is prime, symplectic spreads of PG{3, q) are regular. 



name 


g{x,y) 


<1 


restrictions 


regular 


—nx 


odd 


n non-square 


Kantor [8] 


—nx^ 


odd 


n non-square, a\q 


Thas-Payne [14] 


—nx — (n“^a:)^f® — 


3ft 


n non-square, h > 2 


Penttila-Williams [11] 




35 




Ree-Tits slice ]8] 


_^ 2 a +3 _ yO, 


^ 2 h+l 


a = 1/39 


regular 


cx + y 


even 


Trg^ 2 {c) = 1 


Tits-Liineburg ]15] 




22/i+l 


a = ^J2q 



Table 1. The known examples of symplectic spreads of PG{3,q) 



Note that from any of the examples in the table we could make many other 
equivalent symplectic spreads and that the function g(x, y) will not in general 
have such a nice form. For instance, all the examples in the table give spreads 
S that contain the line I 



(( 0 , 1 , 0 , 0 ), ( 1 , 0 , 0 , 0 )). 

The linear map r that switches Xg and X3 and switches Xi and X 2 preserves 
the form (1) but swiches lea and 1. The other q^ — 1 lines in S are mapped to 
the lines 

{((y,a:, l,0),(5f(x,y),-i/,0,l)) \ x,y € GF{q), (x,y) yf (0,0)} 

by T. Writing these lines as the spans of their points on the planes Xq = 0 and 
Xi = 0, these lines are 

— vx 

{((0, l,u,u),(l,0,-u, )) \x,y& GF{q), (x,y) yf (0,0)}, 

y 

where 

^ ^ g{x,y) 
xg{x,y) + y'^ 

and 

V = 

xg{x,y) + y'^' 

(When j/ = 0 we interpret —vxjy to be l/g{x,Q).) Now one would have to 
calculate —vxjy in terms of u and v to deduce the function g{x,y) for the 
spread r(5). For an explicit example of this, consider the Kantor spread S over 
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GF{21) with g{x^y) = — where — n = — 1. The function g{u^v) for r((S) 
is 



21 4 
nu V 



^8^19^18 ^ ^2^17^6 ^ ^4^9^10 ^ ^18^5^12 



n'V. 



A polynomial h in one variable over GF(q) is called additive if h(x + u) = 
h{x) + h{u) for all x,u £ GF{q). In case g{x, y) = h\{x) + h 2 {y) with hi and /12 
being additive polynomials, the symplectic spread corresponds to a translation 
ovoid of <5(4, q), which in turn comes from a semifield flock of the quadratic cone 
in PG{3,q). This has been the subject matter of a number of articles, see for 
example [1], [2] or [10]. The classification of such examples is an open problem 
whose solution would be of much interest. The partial classification in [2] implies 
that if there are any further examples over GF{p^) then p < Ah? — 8/1 + 2. 
Theorem 1 in this case reads: The polynomial g{x, y) = hi{x) + h 2 {y) will give a 
symplectic spread if and only if h\{x) + h 2 {ax) + a? x is a permutation polynomial 
for all a £ GF{q), or equivalently hi{x) + h 2 {ax) + a?x has no zeros in GF{q)* 
for all a £ GF{q). 

The two examples where g{x^ y) is not of this form are the Tits-Liineburg 
spread and the Ree-Tits spread. 

Let us first check the Tits-Liineburg example, where a = ^/2q. In this case 



g{x, ax — b) + a^x = -I- {ax)°‘ — b°^ + a^x. 



So we should have that x°‘~^^ + (ax)°‘ + a?x is a permutation polynomial for all 
a £ GF{q), which is easy to see since this polynomial is Note 

that composing permutation polynomials with permutation polynomials gives 
permutation polynomials so it is enough to check that x°‘'^^ is a permutation 
polynomial, which it is since (2^+^ -I- 1, 2^^+^ — 1) = 1. 

Now we come to the interesting Ree-Tits slice example, g{x, y) = — — 
where q = 32^+1 and a = This spread was discovered by Kantor [8] as an 
ovoid of Q{A,q). It is the slice of the Ree-Tits ovoid of Q(6, g). It provides us 
with an interesting class of permutation polynomials, namely, the polynomials 
fa{x) := 6“ - {g{x, ax-b) + a?x), 

fa{x) = -k {axY - a^x. 



The polynomial fa is remarkable in that it is a permutation polynomial over 
GF{q) whose degree is approximately ^/q. There are only a handful of known 
permutation polynomials with such a low degree. The bulk of these examples are 
exceptional polynomials, namely polynomials over GF{q) which permute GF(q^) 
for infinitely many values n. However, we will show below that fa is not ex- 
ceptional, so long as a > 3 and a yf 0. There are also some non-exceptional 
permutation polynomials of degree approximately y/q in case g is a square or a 
power of 2. However, our example is the first for which q is an odd nonsquare. 

It follows from [8] and Theorem 1 that fa is a permutation polynomial. 
Conversely we now give a direct proof that fa is a permutation polynomial, 
which (along with Theorem 1) gives a new proof that the Ree-Tits examples are 
in fact symplectic spreads. Our proof that fa is a permutation polynomial uses 
the method of Hans Dobbertin [5] . 
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Theorem 2. Let q = 3^^+^ and let a = For all a € GF{q) the polynomial 
fa{x) '■= + (aa:)“ — a?x is a permutation polynomial over GF{q). 

Proof. If fa{x) is a permutation polynomial then so is C^“^^/o(a^/C) for any 
C € GF{q)*, and the latter polynomial equals (x). Since (a+l, g— 1) = 2, it 

follows that if fa is a permutation polynomial then so is fa^^ for any ( G GF{q)*. 
Thus it suffices to verify the theorem for a single nonzero square a, a single 
nonsquare a, and the value a = 0 (in which case the theorem is trivial). Since 
— 1 is a non-square in GF{3^^~^^) we can assume from now on that = 1. 

Suppose that fa is not a permutation polynomial. Let x, y be distinct ele- 
ments of GF{q) such that fa{x) = fa{y) = d. The equations fa{x) = d and 
fa{x)°‘ = d°‘ give 



+ ax°^ -x = d (3) 

+ ax^ - x°‘ = d°‘ . (4) 

By viewing these equations as low-degree polynomials in x“ whose coefficients 
are low-degree polynomials in x, we can solve for x“ as a low-degree rational 
function in x. Namely, multiplying (3) by and then subtracting (4) gives 

+ = (5) 

multiplying (3) by a and subtracting (5) gives 

-I- dx^) = ax + da — ax^ + d°‘. (6) 

This expresses a;“ as a low-degree rational function in x, so long as x ^ {0, — d}. 
For later use we record this equation in the form F{x°‘ , x) = 0 where 

F(T, U) := U'^T + dU^T - aU - da + aU^ - d“. 

Note that x and y are not both in {0, — d}, for if so then d = /o(0) = 0 so 
X = y = 0, contradiction. Thus, by swapping x and y if necessary, we may 
assume x ^ {0, — d}. 

Solving for x“ in (6) and substituting into (3) gives a low-degree polynomial 
satisfied by x: 

(ax + da — ax^ + d“)^ -I- a(x + d)(ax + da — ax^ + d“) = (x^ -I- dx)^. 

By expanding this equation we get 

(d“a - d3)x^ -x^ + dx-d^ + d^“ = 0. (7) 

Next we handle the cases y = 0 and y = — d. If y = 0 then d = /o(y) = 0 and 
(7) implies x = 0, contradiction. If y = — d then the analogue of (6) with y in 
place of X says that d“ = —adf, so d^““® = 1 and since (y — 1, 2a — 6) = 2 that 
d^ = 1 and hence a = — 1. Then equation (7) simplifies to dx(x + d^ = 0. Since 
d = 0 implies x = 0 we have x € {0, — d}, again a contradiction. 
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Hence we may assume y ^ {0, —d}, and moreover we may assume d 7^ 0 and 
^ —d°‘a. We can also assume that d^ 7^ d“a. For, if d^ = d°^a then = 1 

and again since (g — 1, 2a — 6) = 2 that = 1 and hence a = 1. Then equation 
(7) simplifies to x(a; + d) = 0, a contradiction. 

In particular, equation (7) remains valid if we substitute y for x. Thus x and 
y are roots of the polynomial 

:= (d“a — d^)t^ — + dt — d^ + d^“. (8) 

We express the roots of in terms of x. Since tp{x) = 0, we know that t — x 
is a factor of "ipit)'. in fact, writing A := d°^a — d^, we have 

tp(t)/{t — x) = At^ + {Ax — l)t + {Ax"^ + d — x). (9) 

The discriminant of this quadratic polynomial is 

S := {Ax — 1)^ — A{Ax^ + d — x) = 1 — A{x + d). 

If d = 0 then x = — d + 1/A and y = {Ax — 1)/A = —d which we have already 
excluded, so assume from now on that d 7^ 0. 

Substituting d = + ax“ — x we find that 

A 6q:+ 9 I 3a+6 3 q; ol 3 

A = —X + ax — ax — ax — x 



and 

d = (a;4“+6 - ax3“+3 + a;2“ + ax°^+^ - l)^. 

Thus putting -s/d = + ax°‘~^^ — 1, we can write the roots 

of 'ijj{t)/{t — x) as 



yi\=x- {Vd + l)/A 



a;3“+4 + + ax 

a;3“+3 + + a 



and 



V2 ■ 



:= x+ {Vs - 1)/A = 



^3q;+ 7 ^^2o:+4 ^o;+3 



ct-l- 1 I 4 
X ^ _ Q 



^3a+6 , 



p2o;-|-3 , 



Now one can verify that F{y 2 ,yi) = 0 and F{yf,y 2 ) = 0. But we know that 
F{y°‘,y) = 0 and y € {yi,y 2 }- Since yi 7^ 7/2, this implies F{T,y) = 0 has more 
than one root. But this is a linear polynomial in T, a contradiction. ■ 

Recall that a polynomial / over GF{q) is called exceptional if it permutes 
GF{q^) for infinitely many n. We now show that, except in some special cases, fa 
is not exceptional. Our proof relies on the classification of monodromy groups of 
indecomposable exceptional polynomials, due to Fried, Guralnick, and Saxl [6]. 
A polynomial is indecomposable if it is not the composition of two polynomials 
of lower degree. 



Lemma 1. When a > 3 and a 7^ 0, fa{x) is indecomposable. 
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Proof. The derivative of fa is which is a nonzero constant. If 

fa{x) = g{h{x)) then — = f'a{x) = g'{h{x))h'{x), so both g' and h' are nonzero 
constants. Thus g{x) = u{x^) + cx and h{x) = v{x^) + dx for some polynomials 
u and V and nonzero constants c and d. Since the degree of fa is not divisible 
by 9, either g or h has degree not divisible by 3, and hence must have degree 1. 
Thus fa is indecomposable. ■ 

Theorem 3. When a > 3 and a yf 0, fa{x) is not exceptional. 

Proof. This follows directly from the preceeding lemma and [6, Theorems 13.6 
and 14.1], according to which there is no indecomposable exceptional polynomial 
of degree 2a; + 3 over a finite field of characteristic 3. ■ 

In all the examples in Table 1 the polynomial g is of the form g(x,y) = 
h\{x) + h 2 {y). In Glynn [7] such a polynomial g{x, y) with this property is called 
separable. Every known example of a symplectic spread of PG{3, q) is equivalent 
to a symplectic spread with g{x,y) separable. In the examples not only is the 
polynomial g{x, y) = h\{x) + h 2 {y) separable but h 2 {y) = Cy^, where y ^ y'^ \s 
an automorphism of GF{q). We can classify these examples in the case when q 
is even using Glynn’s Hering classification of inversive planes [7]. 

Theorem 4. Let q he even. If g{x,y) = h\{x) + Gy'^ is a separable polynomial 
that gives a symplectic spread of PG{3,q) then the spread is either a regular 
spread or a Tits-Lunehurg spread. 

Proof. If (7 = 0 then Theorem I implies hi{x) + afx is a permutation poly- 
nomial for all a G GF{q). Let x and y be distinct elements of GF{q), and put 
d = {hi{x) + h\{y))/{x + y). Then hi{x) + dx = h\{y) + dy, so the polynomial 
hi{x) + dx is not a permutation polynomial, a contradiction. 

Now assume that C yf 0. Put z = hi{x) + Gy'^ and rewrite this as y = 
_ (j~^hi{x)^^'^ . Define the function s{x, z) := G~^z^!^ — G~^h\{xY^^ . 
Then g{x, y) = zii and only if s{x, z) = y. We have already seen in equation (2) 
that g{x, y) will give a symplectic spread if and only if 

(x, y) ^ {ax -y,ay + g{x, y)) 

is a permuatation of GF{q)'^. This is equivalent to the condition that for all 
(x,y) yf (u,v) 



{ax -y,ay + g{x, y)) yf {au -v,av + g{u, u)) 

for all a G GF{q). If these pairs were equal then eliminating a this gives the 
condition that for all {x, y) yf (m, v) 

{y - vf + {x- u){g{x, y) - g{u, u)) yf 0. 

Now put z = g{x, y) so that s{x, z) = y, and put w = g{u, v) so that s{u, w) = v. 
Then we have that {x, z) yf {u, w) 

{s{x, z) — s{u, w))^ + {x — u){z — w) yf 0. 
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When q is even this is exactly the polynomial condition on such a polynomial 
s{x, z) that Glynn studies in [7] and that he classifies as coming from either a 
regular spread or a Tits-Liineburg spread. ■ 

When q is odd we can use Thas’ classification of flocks of the quadratic cone 
in PG{3, q) whose planes are incident with a common point from [13] to prove 
the following theorem. We realise that for many readers familiar with flocks and 
semifield flocks the next theorem is immediate, but we include a proof for those 
readers who may not be. 

Theorem 5. Let q be odd. If g{x, y) = h\{x) is a separable polynomial that gives 
a symplectic spread of PG{3,q) then the spread is either a regular spread or a 
Kantor spread. 

Proof. 

Consider the set of q planes of PG{3,q) 

{Xq “k hi{x)Xi + xX^ = 0 I a; G GF{q)}. 

We claim that any two of these planes intersect in a line which is disjoint from 
the degenerate quadric X 1 X 3 = Indeed take two planes coordinatised by x 
and y, X ^ y. Then the points in their intersection (zq, zi, 22, 23) satisfy (hi{x) — 
hi{y))zi + {x — y)z 3 = 0, and the points which also lie on the degenerate quadric 
satisfy 

(hi{x) - hi{y))z'^ + {x- y)zl = 0. 

If yf 0 then hi{x) + {z 2 / ziYx is not a permutation polynomial, a contradiction. 

If zi = 0 then Z2 = 0 and Zq = —XZ 3 = —yz^. But x ^ y implies that 23 = 0 
and Zq = 0 which is nonsense. We have shown that the set of planes form a flock 
of the quadratic cone in PG{3,q). Moreover all these planes are incident with 
(0, 0, 1, 0). By a theorem of Thas [13] this flock is either linear or of Kantor type. 
In other words, the spread is either regular or Kantor. ■ 

In general the permutation polynomial condition from Theorem 1 requires 
the existence of q"^ permutation polynomials, one for each pair (a, 6) G GF{qY. 
If g{x,y) = hi{x) + h 2 {y) and h 2 {y) is additive then Theorem 1 simplifies to: The 
polynomial g{x,y) = hi{x) + h 2 {y) will give a symplectic spread if and only if 
fa{x) '.= hi{x)+h 2 {ax)+af X is a permutation polynomial for all a G GF{q). This 
condition only requires the existence of q permutation polynomials. Moreover as 
we saw in the proof of Theorem 2, if the non-zero terms in hi and /12 have 
suitable degrees, many of these permutation polynomials may be equivalent. 

Let us investigate this further. We define a set of polynomials {fa{x) \ a G 
GF{q)} to be of class A if there exists a t and d such that 

fa(bx) = b^fab^x) 

for all = 1 and a and x G GF{q). Now we can lessen the condition in 

Theorem 1 for A < q — 1. 
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name 


g 


A 


(g- 1, Ad) -t 1 


regular 


odd 


1 


1 


Kantor 


odd 


1 


(g-l,(a-l)/2) + l 


Thas-Payne 


s'* 




Q 


Penttila- Williams 


35 


11 


23 


Ree-Tits slice 


^2h+l 


1 


3 


regular 


even 


1 


1 


Tits-Liineburg 


22/1+1 


1 


2 



Table 2. The class A of the known examples of symplectic spreads of PG(3, q) 



Theorem 6. Let the set of q polynomials {fa{x) \ a G GF(g)}, where fa{x) = 
h\{x) + h 2 {ax) + afx and /12 is additive, he of class A. The fa is a permutation 
polynomial for all a G GF{q) if and only if fa is a permutation polynomial for 
a = 0 and a = e’’, for all 1 < r < {q — l,Ad), where e is a fixed primitive 
element. 

Proof. Write a = where nq < {q — l,Ad). Now choose b such 

that ■ 

In Table 2 we have listed the class for the known examples and the quantity 
(g — 1, Ad) + 1, the number of permutation polynomials that need to be checked 
in each case. Inspired by this table we used the mathematical package GAP to 
look at polynomials over GF{q), q = p^, of the form g{x,y) = Dx* + Gy'^ for 
all cr a power of p and D and C elements of GF{q) where the corresponding set 
of polynomials {fa{x) \ a G GF(q)} is of class A with A small. An exhaustive 
search was carried out for Z\ < 23 and q < 67^ = 4489, Z\ = 2 and g < 3® = 6561, 
Z\ = 1 and g < 3® = 19683. No new examples of symplectic spreads were found. 
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Abstract. In this paper, we survey old and new results about random 
univariate polynomials over a Hnite field Fq. We are interested in three 
aspects: (1) the decomposition of a random polynomial in terms of its 
irreducible factors, (2) the usage of random polynomials in algorithms, 
and (3) the average-case analysis of algorithms that use polynomials over 
finite fields. 



1 Introduction 

Let Fq be a finite field. Along this paper we only consider univariate monic 
polynomials over Fg. We are interested in three aspects: 

1 . how is a random polynomial in terms of its irreducible factors? 

2. random polynomials in algorithms, and 

3. average-case analysis of algorithms that use polynomials over finite fields. 

It is well-known (and we will see it later) that a polynomial of degree n is 
irreducible with probability close to 1/n. Can we say something more about the 
behavior of a random polynomial? For example, 

— how many irreducible factors should we expect in a random polynomial? 

— how often will it be squarefree? 

— what is the expected largest (smallest) degree among its irreducible factors? 
and the second largest one? 

~ how is the degree distribution among its irreducible factors? 

— how often a polynomial is m-smooth (all irreducible factors of degree smaller 
or equal to m)l 

— how often are two polynomials m-smooth and coprime? 

— and so on. 

Random polynomials over finite fields are used in many algorithms. For exam- 
ple, Rabin [63] proposes a randomized algorithm for finding irreducible polyno- 
mials (see also [3]). The index calculus method for computing discrete logarithms 
in finite fields also takes polynomials at random [7, 16, 57]. 

* The author was funded by NSERC grant number 238757. 
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Moreover, average-case analysis of algorithms that deal with polynomials over 
finite fields can be obtained by counting polynomials with particular properties. 
Thus, properties of random polynomials like the ones stated above can be used 
to explain the behavior of algorithms. Typical areas where these studies can be 
used are: 

~ irreducibility tests for polynomials, 

— polynomial factorization, and 

— discrete logarithm problem. 

Flajolet, Gourdon, and Panario [25] give a framework that can be system- 
atically employed to explain the most important features of these algorithms. 
This framework has two basic components: generating functions to express the 
properties of interest for the analysis of the algorithm and asymptotic analysis 
when exact estimations are not possible. In our case, this generic methodology 
closely relates finite fields and their applications to combinatorics and analytic 
number theory. 



1.1 Outline of the Paper 

We present the basic framework in Section 2. First, we introduce the two com- 
ponents of this method: generating functions and asymptotic analysis. Then, we 
give some simple examples of its usage (number of squarefree polynomials, av- 
erage number of irreducible factors, and number of irreducible factors of a fixed 
degree). 

The algorithmic applications form the second part of this paper. Irreducibil- 
ity tests are discussed in Section 3; polynomial factorization algorithms are com- 
mented in Section 4; and cryptographic applications are presented in Section 5. 

Finally, as a summary of the results, a simplified picture of a random poly- 
nomial and a list of open problems are stated in Section 6. 

We consider the natural measure of cost, that is, operations in the field 
of coefficients of the polynomials. Unless specified otherwise, asymptotic results 
are considered for n, the degree of the polynomial, tending to infinity. We do 
not mention here the cost of doing arithmetic in finite fields; see [37] or [41], for 
example. 

This paper is an extended transcription of the author’s invited talk at the 
7th Finite Fields and their Applications Conference. 

2 Basic Framework 

We extensively use a methodology that belongs to the realm of “analytic combi- 
natorics” , and it has been successfully used in analyzing algorithms; see [27, 64] . 
Although this framework is more general, we focus only on polynomials over a 
finite field F^; see [25] for more details. 
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2.1 Generating Functions 

Let P{z) and Q{z) be the generating functions of polynomials and squarefree 
polynomials over Fg, respectively. [For simplicity, we consider only monic poly- 
nomials.] The coefficient = [z'^]Q{z) equals the number of monic squarefree 
polynomials of degree n, and the coefficient = [z"]P(z) represents the number 
of monic polynomials of degree n. These generating functions can be obtained 
by considering an enumerator of a fixed irreducible factor of degree k 

1 + z^ + z^^ ^ . 



This enumerator counts the number of times, 0,1,2,..., that this particular 
irreducible factor appears in a polynomial. Let Ik be the number of monic ir- 
reducible polynomials over Fg of degree k (we avoid carrying the finite field in 
this notation since in this paper it will be always Fg). Then, considering the Ik 
irreducible factors of degree k, and varying on k, we obtain (distributively) the 
generating function of polynomials over Fg 

pw=n(i+-‘+-“+^")'‘=n(r:bE)''- 

h'>-\ h'>-\ \ / 



Since P„ is g”, we have P{z) = (1 — qz) and we conclude that 






fc>i 



Ik 



1 — qz 



( 1 ) 



Let I{z) be the generating function of irreducible polynomials, that is, J(z) = 
X)fc>i ^kz'^- The last equation implicitly determines Indeed, from 



1 

I — qz 






we get 

^ k>l k>l 

Expanding the logarithm and equating coefficients we get 



q 



n 



n 



E 



k-n/k 

~k~ 



Finally, Moebius inversion formula gives the classical relation 

In = -Y.^i{k)q^^'^. 

n “ 

k\n 
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An important consequence for algorithms that use polynomials over finite fields 
is that 



/„ = ^ + O 

n 




and hence, a fraction very close to 1/n of the polynomials of degree n over is 
irreducible. 



2.2 Asymptotic Analysis 

Generating functions encode exact information in their coefficients. In many 
cases, the extraction of the coefficients from a generating function is a difficult 
task. Fortunately, there are powerful methods that allow us to determine the 
asymptotic form of the coefficients of complicated generating functions directly 
from their singularities. In particular, it is well-known that the behavior near a 
dominant positive singularity (one with the smallest modulus) is an important 
source of coefficient asymptotics. 

These methods give conditions under which the asymptotic behavior of the 
coefficients can be determined using a local asymptotic expansion near a dom- 
inant singularity. In other words, these methods give conditions for which the 
following implication is valid 

f{z) ~ a{z) ^ [z"]/(z) ~ [z'^](t{z), 

where f{z) is the generating function to be studied and a{z) is its approximation 
near the singularity. 

Most of the generating functions f{z) of interest here are singular at z = 1/q 
with an isolated singularity of algebraic-logarithmic type. In these cases, we can 
apply the following result from [26] . 

Theorem 1. Let f{z) be a function analytic in a domain 

V = {z: | 2 | < 01 , \Arg{z - l/q)\ > | - £}, 

where Z\ > \/q and s are positive real numbers. Let k >0 be any integer, and a 
a real number with a yf 0, —1, —2, . . .. Lf in a neighborhood of z = 1/q, f{z) has 
an expansion of the form 

then the coefficients satisfy, asymptotically, 

n/W = 9"^(logn)'= (1 + 0(1)). (3) 

r{a) 
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We often find generating functions of the form p(z)f{z) in which p(z) is a 
polynomial and f{z) satisfies the condition of Theorem 1. In such cases, if 
h{z) =p{z)f{z), then 

77 ^ ^ 

[z-]h{z) = qy{l/q)-—{logn)>^ (1 + o(l)). (4) 

r{a) 

The translation from Equation (2) to Equation (3) or (4) is achieved by the 
so-called transfer lemmas that require analytic continuation of f{z) outside its 
circle of convergence. Such a condition is usually verified by inspection. 

However, there are some situations in which generating functions do not sat- 
isfy the hypothesis of Theorem 1. For instance, some of the generating functions 
in Section 5 have a natural boundary at \z\ = 1 (each point at the unit circle 
is singular), so analytic continuation is not possible. This is a situation similar 
to the partition generating function. We use saddle point method in these cases. 
All asymptotic enumeration methods required in this paper are explained in the 
excellent presentations by Odlyzko [58] and by Flajolet and Sedgewick [27]. 

2.3 Examples 

We now derive, as a first example, the number of squarefree polynomials over 
Fg. This result was first proven by Carlitz [11]. Using an enumerator as above, 
we have 

Q{z) = i[{i+z>^y\ 

k>l 

an expression for which it is not so easy to extract coefficients. In this case, a 
much simpler method can be employed. By considering the multiplicity of its 
irreducible factors, each polynomial / factors as / = where s is squarefree 
and t is an arbitrary polynomial. We thus have 

P{z) = Q{z)P{z^), 



and hence. 



We immediately have 



Q(z) 



P{z) 

P(z2) 



1 - qz'^ 
1 — qz 



= g" - q 



n—1 



n > 2, 



( 5 ) 



with Qn = for n = 0, 1. This means that, for n > 2, the proportion of 
squarefree polynomials is 1 — 1/g, or in other words, for large finite fields Fg 
most polynomials are squarefree. 

As a second example, let us consider the study of the expected number of 
irreducible factors of a random polynomial. In this type of questions we need an 
extension of the method to take care of what we call “parameters” of the prob- 
lem. This implies in stating a bivariate generating function in the variables 2 and 
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u such that z counts polynomials, and u counts the parameter of interest. In our 
example, let A(z, u) be the bivariate generating function counting polynomials 
of degree n with k irreducible factors, that is, the coefficient [z'^u’^]A{z,u) rep- 
resents the number of polynomials of degree n with k irreducible factors. Using 
the method above, we have 



A{z, u) = (1 + uz^ + v?z^^ H ) = (1 — uz^) . 

k>l k>l 



Averages and standard deviations are obtained by taking successive derivatives 
of the bivariate generating function with respect to the parameter u, and then 
setting u = 1 (see, for example, [64]): 



n] dA(z,u) 

-I du 



[z"]A(z, 1) 





r_nl d'^A(z,u) 




r_ni dA(z,u) 




/ r_nl dA(z,u) 


u—1 


U 1 du 


U — 1 1 


1 du 


U — 1 


[ U 1 du 



[z"]A(z, 1) 



[z"]A(z, 1) 



[z"]A(z, 1) 



In our case, differentiating two times, putting u = 1 and applying asymptotic 
analysis give that the average number of irreducible factors is asymptotic to log n 
with a standard deviation of \/logn. Indeed, much more is known about this 
parameter since it is one of the most widely studied with respect to polynomials 
over finite fields. 



Theorem 2. Let fin he a random variable counting the number of irreducible 
factors of a random polynomial of degree n over¥q, where each factor is counted 
with its order of multiplicity. 

1. The mean value of fin is asymptotic to logn + 0(1). 

2. The variance of fin is asymptotic to logn -I- 0(1). 

3. For any two real constants A < /i, 

Pr |log n -I- Ai/logn < < log n -I- /zi/logn I ^ ^ / e-*"/^dt. 

I J v27t 

4- The distribution of fin admits exponential tails. 

5. A local limit theorem holds. 



Remarks: 

1. The average number of irreducible factors of a random polynomial of degree 
n appears in [6], Ex. 3.6. Then, it also appears in [52], Ex. 4. 6. 2. 5, and with 
more details in [28,50,55]. 

2. The variance is sketched in [28], and is given with more terms in [50]. The 
latter also covers the case of distinct factors. 

3. For any two real constants A < ^, if 

Pr jlog n -I- Ai/logn < < log n -I- /xi/lognj ^ ^ f e~* ^"^dt, 

I J v27r Ja 

then it is said that fin satisfies a central limit theorem, or that a Gaussian 
limit distribution holds. The existence of this limit distribution provides 
information on the distribution near the mean value. The central limit for 
fin is in [28], Corollary 1. 
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4. Exponential tails essentially indicate that large deviations from the mean 
value are unlikely. In the case of the number of irreducible factors of random 
polynomials, exponential tails are proven in [29]. 

5. Local limit theorems basically deal with density functions. They are studied 
in depth in [4, 5]. For our particular case, the local limit theorem holds as a 
consequence of the results in [36] . 

As a final example, let us consider the number of irreducible factors of fixed 
degree in a random polynomial. The number of linear factors, that is the number 
of roots, of a random polynomial seems to be first studied by Zsigmondy [68] 
for the prime field case; Knopfmacher and Knopfmacher [49] present a detailed 
analysis including variance. The case of polynomials with no roots is interesting 
when studying the distinct values that a polynomial can take. This is related to 
permutation polynomials and was studied by Uchiyama [66]; see also [15]. 

The generating function of polynomials with no linear factors is 




1 — qz 



(1 - = 



1 — qz 



{i-zY 



It is not difficult to extract coefficients from this generating function since it is 
a convolution of two simple generating functions. If we prefer to use singularity 
analysis, we obtain that, for large n, the number of polynomials of degree n 
with no irreducible factors of degree 1 is asymptotic to q^{l — l/qY. This means 
that the probability of obtaining one such polynomial tends to 1/e = 0.3678 . . . 
when q grows (computer experiments show that for g > 11 this is already a good 
approximation). In other words, “most” polynomials are reducible and have at 
least one irreducible factor of degree 1! 

In general, the number of irreducible factors of a specified degree d in poly- 
nomials of degree n was studied by Williams [67]. A detailed analysis including 
variance and “distinct irreducibles” case appears in [50]. 



3 Irreducibility Tests for Polynomials 

Rabin [63] presents a probabilistic algorithm for constructing irreducible poly- 
nomials over finite fields. The central idea is to take polynomials at random and 
test them for irreducibility. Since the proportion of irreducible polynomials of 
degree n (over any finite field) is close to 1/n, we expect to find an irreducible 
polynomial after approximately n tries. 

In order that this works we need an irreducibility test. Rabin derives an algo- 
rithm for testing the irreducibility of a polynomial from the following theorem. 

Theorem 3. Let pi,...,pk be the distinct prime divisors of n, and denote 
n/pi = Ui, for 1 < i < k. A polynomial f € Fq[x] of degree n is irreducible 
in Fq[a;] if and only z/gcd(/, * — x mod f) = 1, for I < i < k, and f divides 

— X. 
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Rabin’s algorithm simply computes the above gcds one by one. Since x'^ * — 
X G Fg[a:] is the product of all monic irreducible polynomials over Fg of degree 
dividing rii (see Theorem 4 below), each gcd tests the existence of irreducible 
factors in / of several degrees. A polynomial is discarded when one gcd is different 
from 1. Hence, the analysis of Rabin’s algorithm can be carried out by studying 
the number of polynomials with irreducible factors belonging to a set T but 
not belonging to a set S (T would be the set of degrees being tested in step i, 
while S would be the set of degrees already tested in the previous steps of the 
algorithm). The corresponding generating function is 

n (i-D" 

’ \kT i€5uT 

Now, the set of degrees being checked at step i of the algorithm depends on 
the divisors of ni, n 2 , . . . , ni_i, where rij = n/pj is as stated in Theorem 3. 
Extracting coefficients here is, essentially, an impossible task (the possible cases 
are when n is prime or product of two primes, see [59]). A delicate asymptotic 
analysis provides uniform results [59] . 

Variants for the computation oi x’^ ^ — x mod / have been presented in [42] 
and in [35]. These variants are analyzed in a similar way. 

Soon after Rabin gives his algorithm, Ben-Or [3] proposes an algorithm based 
on the following theorem (for example, see Theorem 3.20 of [53]). 

Theorem 4. For i > 1, the polynomial x'^ — x £ Fg[a;] is the product of all 
monic irreducible polynomials in Fg[a;] whose degrees divides i. 

We should point out that both Gauss and Galois suggested using this theorem as 
a step for factoring polynomials (see [41] and the references therein for a historic 
account). 

Ben-Or’s algorithm tests the irreducibility of a polynomial by searching for 
irreducible factors degree by degree. Since the mean number of irreducible factors 
of degree fc of a random polynomial of degree n approaches 1/k as n tends to 
infinity [50], if the polynomial is reducible, Ben-Or’s algorithm quickly discards 
it. Moreover, since the degrees of the polynomials involved in the gcds are smaller 
than in Rabin’s algorithm, these gcds are less expensive. 

In order to analyze this algorithm, we have to study the probability that a 
random polynomial of degree n contains no irreducible factors of degree up to 
a certain value m (such polynomials are sometimes called m-rough). Gar [10] 
gives estimates for m-roughness that depend on the Buchstab function for m 
large with respect to n, say m> c\ n log log n/ logn. On the other extreme, Gao 
and Panario [35] show that for m small with respect to n, say m < C 2 log n, the 
estimate e~^ fm holds, where 7 is Euler’s constant. The Buchstab function is the 
unique continuous solution of the difference-differential equation 

Wjj{u) =1 1 < M < 2, 

(uoj(u)) = oj(u — 1) u > 2. 
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It was introduced by Buchstab [9] when studying the analogous problem for 
integer numbers, that is, numbers with no small prime factors. Much is known 
about this function. For example, it is known that the Buchstab function quickly 
tends to = 0.56416 . . . (see Fig. 1). 




Fig. 1. The relation between the Buchstab function and e in the interval [1, 4]. 



The study of the probability that a random polynomial is m-rough for the 
complete range 1 < m < n, is given by Panario and Richmond [60] . The estimates 
are in terms of the Buchstab function when m oo. When m is fixed singularity 
analysis is applied. 

Theorem 5. The smallest degree Sn among the irreducible factors of a random 
polynomial of degree n over Fg satisfies 



Pr{Sn > m) 




when m tends to infinity with n. 

Using Theorem 5 it is not difficult to prove that the expected smallest degree 
among the irreducible factors of a random polynomial is asymptotic to e~'^ logn. 
More general, the expected rth smallest degree among the irreducible factors of 
a random polynomial is asymptotic to e~'^ log*^ n/r\. 

These studies generalize to the size of the smallest components in random 
decomposable structures [61, 62]. The results include limit distributions and local 
theorems for the size of the rth smallest component of an object of size n. 
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Expectation, variance and higher moments of the rth smallest component are 
also derived. The results apply to several combinatorial structures in the exp-log 
class for both labelled and unlabelled objects. This class of combinatorial objects 
includes permutations, polynomials over finite fields, 2-regular graphs, random 
mappings (functional digraphs), random mappings patterns, arithmetical semi- 
groups, etc; see [61] for details and references. 

Similar generic results for this class of objects but for the number of irre- 
ducible components have been developed by Flajolet and Soria [28, 29]. The size 
of the largest components in random decomposable structures have been carried 
out by Gourdon [43,44]. 



4 Factorization of Polynomials over Finite Fields 



Factoring polynomials is a fundamental task with many applications, and has 
been largely studied; see Chapter 14 of [37] or [41] for recent surveys. 

There exists a general factorization algorithm (that Knuth [52] calls “folk- 
lore”) that works in three stages: 

ERF elimination of repeated factors replaces a polynomial by a squarefree one 
which contains all the irreducible factors of the original polynomial with 
exponents reduced to 1; 

DDF distinct- degree factorization splits a squarefree polynomial into a product 
of polynomials whose irreducible factors have all the same degree; 

EDF equal-degree factorization factors a polynomial whose irreducible factors 
have the same degree. 



We do not include the algorithms in this paper [37,41]. We observe that the 
first stage of this process is normally done by means of the so-called squarefree 
factorization but for simplicity we consider ERF here. In any case, this is not 
the crucial stage of the algorithm as we will see later. 

We only state the main features of the analysis of each stage; for the complete 
details see the paper by Flajolet, Gourdon and Panario [25]. 

We start by considering the elimination of repeated factors. By Equation 5 
most polynomials are squarefree. If we call “nonsquarefree part” the factor that 
remains after dividing the polynomial by the result of computing ERF, it is not 
difficult to prove that the nonsquarefree part is expected to be constant. Indeed, 
the bivariate generating function counting the total degree of the nonsquarefree 
part is 



(1 -k -k uz^’^ -k H ) = n U 



1 — u^z^ 



Ik 



k>l k>l 

By differentiating with respect to u, setting u = 1 and applying 
analysis, we obtain the mean degree of the non-squarefree part 



singularity 



k>l 



kik 



9h h 
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and we have Nq ~ l/f? when g — > oo. Combining this information with the cost 
of each step of the algorithm, one shows that ERF accounts, essentially, for one 
gcd computation. 

The distinct-degree factorization (DDF) follows immediately from Theo- 
rem 4: check factors of the polynomial / by computing gcd(a;^ — cc, /) for 
i = 1 , 2 ,...; if a gcd is different from 1 , remove this factor from / and con- 
tinue iterating. This procedure factors / into factors that contain one or more 
irreducible factors of the same degree. We stop this procedure when i > nj^-. 
the remaining factor is either 1 or irreducible. 

A natural idea is the “early abort” strategy: stop the iteration of DDF when 
2z exceeds the degree of the remaining factor. The analysis of the early abort 
strategy requires information on the largest and second largest expected degree of 
irreducible factors of a random polynomial. Naturally, the Dickman function [17, 
18] appears in these estimates since it models the analogous problem for integer 
numbers. A technical analysis [25, 43] provides an expected largest degree tending 
to cin where c\ = 0.62432 ... is precisely Golomb’s constant [23] that models 
the expected largest length among the cycles of a random permutation. The 
second largest irreducible factor has expected degree c<in where C 2 = 0.20958 . . ., 
where a generalized Dickman function plays an important role. As in the case 
of the smallest components already commented, all results generalize to other 
decomposable combinatorial structures [43,44]. 

The global saving of the early abort rule is of 36%, and the expected cost of 
DDF dominates the whole factorization process. This gives a firm justification 
to a fact that was known from a worst-case perspective. 

DDF does not completely factor a polynomial that has different factors of 
same degree. We have the following theorem [25,51]. 

Theorem 6. 1. The probability that DDF yields the complete factorization is 

asymptotic to 

= n (^ + (1 - 

k>l V ^ / 

where ci = 0.6656 . . . , C 257 = 0.5618 . . . , Coo = e.~^ = 0.5614 . . .. 

2. The number of degree values for which there is more than one irreducible 
factor in the polynomial produced by DDF has an average that is asymptotic 
to the constant 

- 1 - 

k>l ^ 

3. The degree of the part of the polynomial that remains to be factored by the 
EDF algorithm has expectation logn -|- 0(1), and standard deviation of ap- 
proximately \/n. 

Finally, the factorization problem is reduced to factoring polynomials that 
have all their irreducible factors of the same (known) degree (EDF). The fastest 
algorithms for this task are randomized. Indeed, it is not known a deterministic 



h£y_\ 
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polynomial time algorithm for this stage of the factorization process. One such 
algorithm would yield a deterministic polynomial time algorithm for the whole 
factoring problem, a well-known open problem [2,22,31]. 

The analysis of EDF is an interesting combination of a recursive partitioning 
problem akin to digital trees (better known as “tries”) with estimates on the 
degree of irreducible factors of random polynomials. 

On the other hand. Theorem 6 implies that EDF is executed less than 50% 
of the times and with a total degree of roughly logn. Since the cost of these 
algorithms heavily depends on the degree of the polynomial in the input, we 
can conclude that the cost of the EDF stage is computationally small though it 
cannot be completely discarded. 

Factorization algorithms of the 1990’s involve the analysis of irreducible fac- 
tors whose degrees lie in intervals [42,47,65]. These algorithms split the interval 
[l,n] into parts. For each subinterval, the product of all irreducible factors of 
the original polynomial whose degree lies in that interval is computed. Using 
Theorem 4, a gcd computation determines if the polynomial contains irreducible 
factors in the subinterval. For each subinterval with more than one irreducible 
factor the standard DDF algorithm is applied to compute the distinct-degree 
factorization. 

The analysis of these algorithms requires information on how irreducible 
factors are distributed among its parts, given a partition of [l,n]. For example, 
the probability of no interval with more than one irreducible factor, the average 
number of factors in one subinterval, and so on, provide useful information and 
the methodology presented here seems amenable to this problem. 

When factoring random polynomials, polynomially growing interval sizes 
seem to be a good option for the partition. An example of polynomially growing 
interval size is the quadratic partition: [1, 1], [2,4], [5,9], [10, 16], — We expect 
to have a decreasing number of irreducible factors as their degrees increase, and 
hence, polynomially growing interval size partitions seem to distribute the fac- 
tors in a more balanced fashion. Preliminary results show that this is the case. 
Using this information, von zur Gathen and Gerhard [40] provide algorithms 
for factoring very large degree random polynomials over F 2 . For example, their 
algorithm factors a random polynomial of degree about 250 000 in one day of 
GPU time. 



5 Cryptographic Applications 

Let g he & generator of the multiplicative group of . For any element ft- G F^ , 
ft yf 0, there exists an integer x, h < x < q — 2, such that h = g^. We call x the 
discrete logarithm of ft in the base g. 

A fundamental task in cryptography is the discrete logarithm problem: find 
a computationally feasible algorithm to compute the discrete logarithm of ft, 
for any ft G F^, ft yf 0. Indeed, the security of many public-key cryptosystems 
depends on the assumption that finding discrete logarithms is hard, at least for 
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certain groups. For instance, the security of the following cryptographic applica- 
tions depends on the current inability to solve the discrete logarithm problem ef- 
ficiently: Diffie-Hellman key exchange scheme [19], El Gamal’s cryptosystem [21], 
and pseudorandom bit generators [8,32]. 

We observe that this problem can be defined over any group. However, in 
this paper, we restrict ourselves to the case of discrete logarithm problem over 
F 2 »». We view the elements in F 2 « as polynomials of degree n over F 2 . We point 
out that all results in this section apply to Fg, where q= p^, p\s a small prime 
and n is large, but for practical reasons we only consider p = 2. 

The breakthrough in the computation of discrete logarithms in such groups 
was the development of the index calculus method. Odlyzko [57] provides an ex- 
cellent account of this problem. The method consists of two parts: a construction 
of a large database of logarithms, and the computation of individual logarithms. 
Let S' be a set of irreducible polynomials over Fp, where p is the characteristic 
ofF,. 

1) Choose an integer s in [1, 9 — 1] uniformly at random, and form the polynomial 
h = (mod f),degh < n. Check if h factors completely into irreducibles 
over the set S. If not, discard it and iterate. If it does, say h = 

record the congruence 

s = ^ Cy{h) logg V (mod q - I). 
ves 

Repeat the above steps until “slightly more” than #S congruences are ob- 
tained. Then solve the system to determine logg v for all v G S. 

2) Let h* be the element whose logarithm we want to compute. Choose an 
integer s in [l,g — 1 ] uniformly at random and form the polynomial h = 
h* g“ (mod /), deg h < n. Check if h factors completely into irreducibles over 
the set S. If not, discard it and iterate. If it does, say h = 

compute the required discrete logarithm as 

logg h* = -3+^^ Cy{h) logg V (mod q - 1). 
ves 

There are many variations of this “basic” version; see [57] for details. Nor- 
mally, S is the set of irreducible polynomials of degree smaller or equal to m, 
the so-called m-smooth polynomials. Since we repeat the search until we find an 
m-smooth polynomial, the analysis of the index calculus method requires infor- 
mation on the number of polynomials that are m-smooth. Using the methodol- 
ogy described in this paper, Odlyzko [57] obtains the generating function of the 
number Nq(m; n) of monic polynomials over Fg of degree n which are m-smooth: 

m 

Sra{z) = ^ Nq(m] n) z" = 

n>0 k—1 

For the cryptographical applications, m tends to infinity with n. More precisely, 
we have m = ^/n log n/-y/21og2; see [57]. Hence, singularity analysis does not 
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apply since we have a natural boundary in \z\ = 1 and analytic continuation is 
not possible. Odlyzko uses the saddle point method for deriving an asymptotic 
estimation for the numbers Nq(m;n) as n oo, uniformly for m in the range 
^ 1/100 < rn < [Actually, his results hold for < m < v}~^ , where 

<5 > 0.] 

Blake et al. propose a variant of the index calculus method over F 2 »». This 
variant is known as the Waterloo algorithm [7, 57]. It improves the running time 
of the method by introducing a heuristic argument that makes its analysis not 
rigorous. 

The central idea is to change the search of one m-smooth polynomial of 
degree n by two m-smooth polynomials of degree at most {n — l)/2. 

0) Set A to 0. 

1) If degh(x) < m and h{x) = ]\ihi{xY' , then \oggh{x) = Z]* log^ 
mod {q — 1), and stop. 

2) Generate a random integer a; set A to A -|- a and h{x) to h{x)g{xY. Apply 
the extended Euclidean algorithm to h{x) and f{x) to obtain polynomials 
t{x)h{x) = r{x) (mod f{x)), with deg r(x), deg t(x) <{n— l)/2. 

3) Factor t{x) = Y\j_Pi{xY' and r{x) = Y\jPj{xY^ ■ If degpi(a:) < m and 
degpj{x) < m for all i,j, then compute the required discrete logarithm 
as 

logg h{x) = dj loggPjix) ^oggp^ix) - A, 

3 i 

and stop. Otherwise, return to 2. 

The correctness of the method is based on the known fact that if we apply the 
extended Euclidean algorithm to h{x) and f{x), then there exist two polynomials 
r{x) and t{x) both of degree smaller or equal to {n — l)/2 such that t{x)h{x) = 
r{x) (mod /(a;)); see [7]. 

It is not difficult to check that the polynomials r(x),t(x) of degree < {n — 
l)/2 can be taken as relatively prime polynomials. Then, for the analysis of the 
running time of the algorithm, we have to estimate the probability that two 
random monic polynomials of degree < (n — l)/2 are relatively prime, and that 
they decompose into irreducible polynomials with degree < m. 

Let P(m; {n — 1) /2) be the probability that a polynomial of degree (n — l)/2 
is TO-smooth, and P{m] (n — l)/2, (n — l)/2) be the probability that a pair of 
polynomials each of degree (n — 1) /2 is m-smooth. Blake et al. approximate this 
probability by the probability that each polynomial r{x) and t{x) has degree 
about (n — l)/2 and that each polynomial factors into irreducibles of degree 
< m independently of the other. They show experimental data validating this 
heuristic argument. 

Drmota and Panario [20] provide a rigorous proof of this heuristic. Let 
Nq(m; ni, 712 ) denote the number of coprime pairs of monic polynomials / and g 
over Fg of degrees ni and ri 2 , respectively, which are m-smooth. The generating 
function Fm{z,w) of interest here is 

Fm{z,w)= Y Nq{m;ni,n2) 

ni,ri2>0 
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Considering an enumerator of an irreducible factor of degree k that counts the 
presence of the factor in one of the polynomials f or g but not in both, we have 

1 + H \-w^ + w'^'" -\ . 

Varying on the possible Ik irreducible factors of degree k we have 

m 

Fm{z, w) = (l + z'" + z^'^ H \-w'" + H 

fe=l 

_ f 1 - _ Sm{z)Sm{w) 

V(1 - z'=)(l - ■u;'=)y Sm{zw) 

Now a bivariate saddle point argument similar to Odlyzo’s provides the following 
theorem (see [20]). 

Theorem 7. Let S > 0 be given. Then we have, uniformly for m,n\,n 2 oo 
with n\ <m < n\~^ and n\<m< n\~^ , 

Nq{m-,ni,n2) ^ ~ Nq{m-,ni)Nq{m-,n2). 

In other words, Blake et al. approximation is correct in asymptotic terms, and we 
provide a precise estimation for this relation. The results generalize to provide 
estimates for the probability that two random monic polynomials of degree at 
most (n — l)/2 are relatively prime and m-smooth. 

The basic index calculus method works with a set S formed for m-smooth 
polynomials. Another possibility is to use a non-smooth factor base. Garefalakis 
and Panario [38, 39] propose a different factor base: all irreducible polynomials 
with degree in an interval between m 2 and mi. The required generating function 
is a simple generalization of the m-smooth generating function, and again, saddle 
point method is needed for the asymptotic approximation. 

The theoretical estimation is as good as the one for the standard base. As 
in the smooth case, there is no much freedom for the upper limit mi of the 
interval: mi behaves exactly as m in the basic version. However, the lower limit 
m 2 remains a free variable which can be chosen (almost) at will; see the details 
in [39]. 

The running time of the algorithm is again dominated by the first stage. 
This is when a tradeoff takes place regarding the size of the factor base: large 
ffS means small number of repetitions (until a useful congruence is found), but 
many such congruences are needed for the system to be solvable. 

In practical terms, there is a tradeoff associated to m 2 . The influence of the 
parameter m 2 is considered experimentally [38], however more computational 
studies are needed to draw some conclusions about the best m 2 and this variant. 

The generalized factor base also applies to the Waterloo and the Copper- 
smith [16] variants. Moreover, Odlyzko [57] describes other variants. These al- 
gorithms use clever algebraic manipulations to compute polynomials of “low” 
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degree, which are subsequently factored. The computation of these polynomials 
is completely independent of the factor base. Therefore, a different factor base 
like the one proposed is “compatible” with all the variants. 

Finally, we should mention that the analysis of Coppersmith’s algorithm [16] 
and the related Adleman’s function field sieve algorithm [1] are still open prob- 
lems. Here the main problem to study is the distribution of very sparse irre- 
ducible polynomials; see [33]. 



6 Conclusions 

We surveyed on a methodology for counting properties of random polynomi- 
als over finite fields. This general framework is based on generating functions 
and asymptotic analysis. It does not only allow the study of properties of ran- 
dom polynomials but also provides precise average-case analysis of polynomial 
algorithms. Moreover, we show the relation between properties of random poly- 
nomials over finite fields and properties of random decomposable combinatorial 
structures. 

A simplified picture of a random polynomial over a finite field is as follows: 

— it is irreducible with probability tending to 0 as n ^ oo; 

— it contains logn number of irreducible factors (concentrated); 

— it has Cfcn expected A:th largest degree irreducible factor (ci = 0.62432 . . . 

and C 2 = 0.20958 . . .); 

~ it has e“'>'logn and e“'’'log^n/2 expected first and second smallest degree 

irreducible factors (not concentrated). 

There are other polynomial problems where this methodology has not been 
fully employed yet. One example is finding roots of a polynomial. This problem 
can be considered as a variation of factoring polynomials, but there are methods 
especially tailored for this task (see the references in [37,41]). The methodology 
presented here together with results similar to the ones in [25] should provide 
analysis for these algorithms. 

Other important problems are polynomial gcd computations, and fast algo- 
rithms for polynomial multiplication (a la Karatsuba) and for “repeated squar- 
ing” (also called “binary powering” or “square and multiply”) methods. For the 
gcd problem, some results are in [30,48,54]. The analysis of repeated squaring 
algorithm seems to follow from the recent work of Grabner et al. [46] for the 
analysis of the similar problem of computing linear combinations of points in an 
elliptic curve. Karatsuba’s algorithm has been less studied than the other prob- 
lems. However, the analysis of mergesort algorithm in Flajolet and Golin [24] 
may serve as a starting point for the study of Karatsuba’s algorithm since both 
algorithms have a similar recursive structure. 

There are other algebraic related problems that are even less understood 
from an average-case perspective. There has been no analysis of the polyno- 
mial factorization algorithms based on linear algebra due to Berlekamp [6] and 
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Niederreiter [56]. It is not clear how to use the methodology of this paper to 
analyze those algorithms. 

Solving sparse linear systems of equations over finite fields is another funda- 
mental problem that has not been deeply studied from this perspective. This is 
an important task, for example, for the index calculus method [57]. 

Finally, it would be interesting to have a similar methodology to the one pre- 
sented here for studying properties of random polynomials in several variables. 
This problem has been studied by Carlitz [12,13], Cohen [14] and Hayes [45]. 
The only average-case analysis of an algorithm for factoring bivariate polynomi- 
als that we know is due to Gao and Lauder [34]. However, there seems to be no 
generic methodology for analyzing algorithms for the factorization, irreducibility 
test, and so on, of polynomials over finite fields in several variables. 

Acknowledgment. The author would like to thank his co-authors. It has been 
a privilege to work with them. 
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Abstract. We consider the rank polynomial of a matroid and some 
well-known applications to graphs and linear codes. We compare rank 
polynomials with two-variable zeta functions for algebraic curves. This 
leads us to normalize the rank polynomial and to extend it to a rational 
rank function. As applications to linear codes we mention: A formulation 
of Greene’s theorem similar to an identity for zeta functions of curves 
first found by Deninger, the definition of a class of generating functions 
for support weight enumerators, and a relation for algebraic-geometric 
codes between the matroid of a code and the two-variable zeta function 
of a curve. 



1 Introduction 

Matroids were introduced by Whitney to generalize the abstract properties of 
linear dependence. In the next section we will give the general definition of a 
matroid. For a special case, let if = {1, 2, . . . , n} be a finite set that labels a list 
S = (xi,X 2 , . . ■ , Xn) of vectors in a vector space V. The matroid on E is defined 
as the collection of all subsets of E of full rank. Various problems involving S 
can be solved in terms of the matroid without reference to other properties of S. 
We are mainly interested in those problems that can be solved in terms of the 
rank polynomial of the matroid. The rank polynomial enumerates the number of 
subsets of E of given size and rank. Such problems include among others graph 
coloring problems, where S is the set of columns in the vertex-edge incidence 
matrix of a graph, weight distribution problems, where S is the set of columns 
of a generator matrix of a linear code, and decision problems for combinatorial 
games. They are the subject of Sections 2-4. These sections can be seen as an 
introduction to matroids: we give the basic definitions and collect basic results. 
We also mention some problems that can not be solved in terms of the rank 
polynomial. 

In Sections 5-8, we study zeta functions for algebraic curves and their connec- 
tion with matroids. Section 5 deals with the problem of enumerating divisors of 
given degree and dimension on a given curve over a finite field. Its formal solution 
is given by the two- variable zeta function of Pellikaan. VanderGeer and Schoof 
reformulated this zeta function for number fields. Section 6 describes Deninger’s 
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transformation that relates the two zeta functions. In Section 7, we define a 
two-variable zeta function for linear codes that describes the Hamming weight 
distribution of a linear code over its base field and over all finite extensions of the 
base field. It is similar to the Pellikaan two-variable zeta function of an algebraic 
curve. In Section 8, we rewrite the rank polynomial of a matroid as a normalized 
rank function. It is similar to the vanderGeer-Schoof two-variable zeta function 
in its version for curves. Under Deninger’s transformation, the normalized rank 
function of a matroid becomes the two-variable zeta function of a matroid. The 
normalized rank function of a matroid does not reveal the parameters of the 
matroid (its size and its rank, or for a code its length and its dimension). For a 
given choice of parameters it gives the same information as the rank polynomial. 
The uniform matroid of rank /c on if = {1, 2, . . . , n} has as subsets of full rank 
all subsets of size at most k. For all n and k the normalized rank function is 

— = --- + x^ + x+l + y + y^ + ---. 

{l-x){l-y) 

The zeta function of the uniform matroid is 

1 

(1-T)(1-uT)- 

Sections 9-12 describe some applications of the connection between zeta func- 
tions and matroids. In Section 9, we show that for linear codes Deninger’s trans- 
formation is equivalent to Greene’s theorem. Section 10 describes a decomposi- 
tion of the zeta function. The decomposition is used in Section 11 to describe a 
class of generating functions for support weight enumerators. In Section 12, we 
relate the matroid of an algebraic-geometric code to the two-variable zeta func- 
tion of a curve. We recover a lower bound of Munuera for the weight hierarchy 
of an algebraic geometric code. 

Reference texts for matroids are [41], [28]. The latter book does not discuss 
rank polynomials. A good survey on the rank polynomial and its applications 
is [7]. The books [6], [16] on graph theory have excellent chapters on the rank 
polynomial. Reference texts for algebraic curves over finite fields are [24], [33], 
and for coding theory [38], [23]. 

2 Matroids 

A matroid M = (E,I) consists of a finite set E and a collection I of subsets of 
E called independent sets such that 

(11) 0GI. 

( 12 ) If /i G I and I 2 C /i, then I 2 G I. 

( 13 ) if /i ,/2 G I such that I/ 2 I < |/i| then there exists e G Ii — I 2 such that 
I 2 U {e} G I. 
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For vectors ei, 62 , . . . , e„ in some vector space V we obtain a matroid on the 
set E = {1,2 . . . , n} by taking for X the collection of all subsets of E that cor- 
respond to independent vectors. In particular, for a given matrix, we can define 
the matroid of its columns. The matroid of a graph is defined as the matroid 
of its vertex-edge incidence matrix. The matroid of a linear code is defined as 
the matroid of its generator matrix. Both cases will be treated in more detail in 
the next two sections. On the other hand not all matroids are representable by 
vectors in some vector space. 

The axiom (13) guarantees that all maximal independent subsets / C ^ of a 
given subset A C E have the same size, so that we can talk about the rank r{A) 
of a subset A. A maximal independent subset / C if is called a basis. Clearly, 
a matroid on E is determined by the collection B of all bases. A collection B of 
subsets of E defines the bases for a matroid if and only if [28, Corollary 1.2.5] 

(Bl) B is non-empty. 

(B2) il Bl, B 2 G B such that e G Bi — B 2 then there exists e' G B 2 — B\ such 

that {Bl — e) U [e'} G B. 

Under the same conditions, for bases B\ , B 2 and for e G Bi — B 2 , we can use 
axiom (13) to extend {e} to a basis of the form {B 2 — e') U e. Combination of 
this simple result with (B2) shows that B* = {E — B : B G B} is the collection 
of bases for a matroid M* = (E,I*) called the dual matroid of M. 

The non-Pappus matroid is defined on if = {1, 2, 3, 4, 5, 6, 7, 8, 9} with bases 
all 3-sets except the eight 3-sets of collinear points in Figure 1. For some time it 
was thought to be the smallest possible example of a nonrepresentable matroid 
till Vamos gave an example on eight points. The Vamos matroid is defined on if = 
{1, 2, 3, 4, 5, 6, 7, 8} with bases all 4-sets except {1, 2, 3,4}, {1, 2, 5, 6}, {1, 2, 7, 8}, 
{3,4,5,61, 13,4,7,8}. 



2 




5 

Figure 1: Non-Pappus matroid. 

A subset A C if is called closed if r{A U x) = r{A) -b 1 for all x G if — A. 
A hyperplane ii is a maximal proper closed set. It has rank r(ii) = r{E) — 1. 
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Closed sets are also called flats and all flats can be obtained as intersection of 
hyperplanes [28, Theorem 1.7.8]. A matroid on E is determined by the collection 
T~L of all hyperplanes. A collection T~L of subsets of E defines the hyperplanes for 
a matroid if and only if [28, Proposition 2.1.18] 

(HI) Ein. 

(HI) No proper subset of a hyperplane is a hyperplane. 

(H2) For distinct E[i,El 2 G H and x ^ Eli \J H 2 there exists H 3 G EL that 
contains Hi fl H 2 and x. 

For a subset A C E we define the degree [A] and the rank r{A) of the subset, 
where 

r(A) = max{j/j : I C A, I G I}. 

We also consider the corank and the nullity of a subset. 

r{E) — r{A) (corank), 

\A\—r{A) (nullity). 

In general, the corank and nullity are nonnegative integers. They satisfy the 
duality, iov A = E — A [28, Proposition 2.1.9], 

r{E)-r{A) = [A] -r*(A). 

The rank polynomial (or Whitney polynomial, or corank-nullity polynomial) is 
defined as 

W{x,y) = 

AdE 

So that the dual matroid M* of M has W*{x, y) = W{y, x). In this paper we are 
particularly interested in properties of a matroid that can be studied through 
its rank polynomial. We give two theorems by Edmonds that show that the 
natural packing and covering problem for a matroid can be decided from its 
rank polynomial [41, Section 8.4]. 

Theorem 1 (Packing problem). [15] A matroid M on the set E has k dis- 
joint bases if and only if, for all subsets A C E, 

k ■ {r{E) - r{A)) < \A\. 

Theorem 2 (Covering problem). [15] A matroid M on the set E can be 
covered by k independent sets if and only if for all subsets A C E, 

k • r{A) > \A\. 

The reference [7] discusses in detail various other applications of the rank 
polynomial. We include an example from [7] of two matroids with the same 
rank polynomial (Figure 2). They differ in many other aspects, for example they 
have different lattice of flats. The matroid on the left has three hyperplanes of 
size 2 (namely {2, 5}, {3, 5}, {4, 5}), whereas the matroid on the right has two 
hyperplanes of size 2 ({1, 4}, {3, 5}). 
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Figure 2: Non-isomorphic matroids with the same rank polynomial. 

3 Graphs 

Through work of Tutte and others there have been important contributions from 
graph theory to matroid theory and vice versa. In the previous section we de- 
fined the matroid of a graph as the matroid of its vertex-edge incidence matrix 
D. For a directed graph the entry takes value —1 if the edge e originates 
in V, -|-1 if it arrives at v, and value 0 if it does neither or both. Edges of an 
undirected graph can be signed arbitrarily with no effect on the matroid. 

An equivalent definition of this matroid can be given in terms of circuits or 
minimal dependent sets. Thus C C if is a circuit if 

r{C) < \C\ and for all z G C : r(C - z) = \C - z\. 

In dual terms, for C = E — C, 

r*{C) < r*{E), and for all z ^ C : r*{CUz) = r*{E). 

In other words, a circuit is the complement of a hyperplane in the dual matroid. 
And a matroid on E is determined by the collection C of its circuits. A collection 
C of subsets of E defines the circuits for a matroid if and only if [28, Corollary 
1.1.5] 

(Cl) 0^C. 

(Cl) No proper subset of a circuit is a circuit. 

(C2) For distinct Ci, C 2 G C and z G Ci fl C 2 there exists C 3 G C contained in 
Cl U C 2 - z. 

The matroid defined by the circuits of a graph is called the cycle matroid of the 
graph. The dual matroid is called the cocycle matroid of the graph. A connected 
planar graph G and its dual G* can be given orientations such that D*D^ = 0. 
The matroids defined with D and D* , respectively, are thus in duality and cor- 
respond to the cycle matroid and the cocycle matroid of the graph G. 
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The incidence matrix D represents the boundary operator d \ C\ ^ Cq from 
the space of 1-chains, defined on edges, to the space of 0-chains, defined on 
vertices. The boundary operator maps the edge e = (n_,w+) to de = v+ — V-. 
Let dCi be the image of C\ in Cq. For a subset A of the edge set E, we consider 
the restriction d\A : C\{A) — >• dC\. The complex 

^ 0 ^ Ci{A) aCi ^ 0 ^ • 



has nontrivial homology groups of dimensions hi{A) = dim Ker d\A = \A\ — 
rank d\A and hQ{A) = dim Coker d\A = rank d — rank d\A. Thus the rank 
polynomial for a graph gives information about the homology of the various 
boundary operators defined on subgraphs. 

We give two problems on graphs that have a solution in terms of the rank 
polynomial of the corresponding matroid. A flow mod m in a connected graph 
is the assignment a; of a nonzero integer residue mod m to each edge such that 
Dx = 0. The number of flows mod m (of nowhere zero 1-cycles) on a connected 
graph G is [7, Proposition 6.3.4.] 

(-i)|^i-i^i+^w(-i,-to) 

An m-coloring of a connected graph is the assignment y of an integer residue 
mod m to each vertex such that D*y is nonzero on each edge. The number 
of TO-colorings (of nowhere zero 1-coboundaries) on a connected graph is [7, 
Proposition 6.3.1.] 

— 1 ) 

The following game on matroids is described in [27] as a variation of Shan- 
non’s switching game for graphs [41, Section 19.4]. Obviously, no basis is con- 
tained in a hyperplane. Therefore every basis has non-trivial intersection with 
every circuit in the dual matroid. Players B and C take turns picking an element 
from the underlying set E = {1,2, .. . ,n\ of the matroid. Player B wins if he 
conquers a basis for the matroid. Player C wins if he conquers a circuit for the 
dual matroid. The game has precisely one winner. The following are equivalent 
[27], [15]. 

( 1 ) Player C plays first and player B can win against all possible strategies of 
C. 

( 2 ) The matroid M has two disjoint bases. 

The second (global) condition can be verified with the (local) conditions 
of Edmonds packing theorem in the previous section. And the existence of a 
winning strategy for B is revealed by the rank polynomial of the matroid. 

The matroid of a graph describes certain properties of the edges in the graph, 
but in general does not determine the spectrum of a graph or properties related 
to the spectrum. A trivial example is given by the two graphs in Figure 3. They 
have the same matroid, but have different spectrum (the spectrum of Chung’s 
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Laplacian [8] is (0, 1/2, 3/2, 2) and (0, 1,1,2), respectively). Clearly they have 
different diameter. The two graphs in Figure 4 also have the same matroid (in 
fact with the given orientation their incidence matrices have the same row space), 
but have different spectrum (the spectrum of Chung’s Laplacian is (0, 2/3, 4/3, 2) 
and (0, 1, 1, 2), respectively). 



ei 

• 
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Figure 3: Non-isomorphic graphs with the same matroid. 

6l 6i 





Figure 4: Non-isomorphic graphs with the same matroid. 



The number of cycles (or closed backtrackless tail-less paths) of given length 
differs for the two graphs. The Ihara zeta function is a generating function for 
the number of cycles and using Bass’s generalization it can be computed as [5], 

[19], 

’ det{l — Au + Qu^) ’ 

where X = |C| — \E\ is the Euler characteristic, A is the adjacency matrix, and 
Q is a diagonal matrix with entries the vertex degrees minus one. 



4 Linear Codes 

A finite sequence of n points in projective space, not all contained in one hyper- 
plane, becomes a matroid with the natural definitions for the degree and rank 
of a subsequence of points. The matroid definition of a hyperplane as a maximal 
proper closed subset of {1,2, ... ,n} applies. But we also have the collection of 
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hyperplanes of the projective space. The properties of the first type of hyper- 
planes are described by the lattice of flats of the matroid. The rank polynomial 
of the matroid in general does not give full information about the number of such 
hyperplanes. On the other hand the number of hyperplanes in projective space 
over a finite held depends only on the size of the held and the dimension of the 
projective space. The theorem by Greene below shows that the rank polynomial 
of a matroid of n points gives the number of projective hyperplanes that contain 
precisely a of the n points, for any given a = 0, 1, . . . , n. This makes the rank 
polynomial an important invariant for linear codes. 

A linear code is a subspace of the space of all n letter words over a finite 
held F of g elements. After choosing generators for the subspace, the code can be 
described as the row space of a matrix G of full rank called the generator matrix. 
The matroid M{C) of a linear code C is defined as the matroid associated to its 
generator matrix. The matroid M{C*) of the dual code equals the dual matroid 
M{C)* of the code. 

Assuming that the code has no zero columns in its generator matrix the 
columns of the matrix define points in projective space. The generator matrix 
defines a natural g — 1 to 1 map from nonzero codewords to the hyperplanes 
of the projective space. The Hamming weight distribution of the code gives 
the number of codewords of given Hamming weight. Equivalently, it gives the 
number of hyperplanes that contain a given number of points. Let 

n 

i=0 

be the Hamming weight enumerator for the linear code. Greene’s theorem relates 
the weight enumerator of a code to the rank polynomial of its matroid [17]. 

Mx,y) ^ w{-^ 

{x — y)kyn-k X — y' y 

In particular, for the number A„ of words with n nonzero coordinates we And 

Ar, = {-lfW{-q,-l). 

This is similar to the expression for the number of nowhere zero 1-coboundaries 
in the graph coloring problem. For a linear code over the held of two elements, 
we have the useful evaluation [31], [20], [7] (with incorrect sign) 

W{-2,-2) = 



There are other properties of a linear code that can not be obtained from 
the matroid structure alone. Examples are coset weight enumerators and the 
covering radius. The following two codes over the held of five elements have the 
same matroid. 





^10 0 


0 2 4\ 


Ci= 1 


0 1 0 
0 1 


40 2 
24 0/ 





/I 0 0 


0 3 3\ 


^2= 1 


0 1 0 
1^0 0 1 


3 0 3 
3 3 0/ 
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In each case, a subset of {1, 2, 3, 4, 5, 6} is independent if it is of size at most three 
and different from {2, 3, 4}, {1, 3, 5}, {1, 2, 6}. The two codes are not equivalent. 
Any six letter word is at Hamming distance at most 2 from the second code. 
But the word 111000 is at distance 3 from the first code. 

Binary codes are completely determined by their matroid. For a code is de- 
termined by its Pliicker coordinates and the Pliicker coordinate corresponding 
to a full minor is 1 if the columns in the minor are a basis for the matroid and 0 
otherwise. On the other hand, inequivalent binary codes can have the same rank 
polynomial. The following two codes are the smallest pair that we could find. 

1 0 0 0 0 1 1 0 1\ 

0100 11100 
0010 10111 
0001 00011/ 

1 0 0 0 0 1 1 0 1\ 

0100 11111 
0010 10101 
0001 00011/ 

5 Special Divisors on Curves 

Let X/F be an algebraic curve (projective, non-singular, absolutely irreducible) 
over a finite field F of g elements. Let g denote the genus of the curve and let K 
denote a canonical divisor. Let h = \Pico{X)\ be the number of distinct divisor 
classes on X of given degree. Riemann-Roch gives, for the dimension 1{D) of the 
linear space L{D) = {/ g F(X) : (/) -b D > 0} U {0}, 

1{D) -1{K -D) = degD + l- g. 

A divisor if on X is special if both 1{E) > 0 and 1{K — E) >0. On the set 
of special divisors £ of a curve we have the natural degree map |if| = deg if. 
We define the rank of a special divisor as the number of independent linear 
conditions that it imposes on the canonical linear system. 

r{E) = 1{K) - 1{K - E) 

For E a finite sum of points this definition agrees with the rank of the set of 
points embedded in projective space with the canonical embedding. Although 
this definition of degree and rank does not make the set of special divisors a 
matroid, we find that several notions that were introduced for matroids, such as 
corank, nullity and rank polynomial, are very useful in describing properties of 
special divisors. For the corank and nullity of a special divisor we find 

r{K) - r{E) = 1{K - E) - I, \E\ - r{E) = 1{E) - 1. 

In particular corank and nullity are in duality if we define the complement of E in 
K to be the special divisor K — E. It is easily verified that for Pi-|-P 2 + ' • ■ + Fn ~ 



/I 0 0 0 
0 10 0 
0 0 10 
\0 0 0 1 



/I 0 0 0 
0 10 0 
0 0 10 
\0 0 0 1 
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K, the definition of degree and rank define a matroid on the set of special divisors 

0 < if < Pi+P 2 +- ■ -+Pn (see also Section 12). The matroid has rank polynomial 

E 

The matroid is the union of two disjoint bases. The easy directions in Theorems 

1 and 2 (with k = 2) then imply 

2{1{K -E)-l)< deg{K - E) and 2{1{K) -1{K-E))> deg E, 

respectively. Thus Clifford’s theorem arises as a special case of the packing 
and covering theorems for matroids. For an arbitrary special divisor if, and 
for a sufficiently large base field F, we can always find Pi, P2, • ■ • ,Pn such that 
0 < P < Pi + P2 + • • • + Pn ~ K . 



Let h^{D) = dimii°(ff, 0(P)) and h^{D) = dim. P[^{X,0{D)) be the coho- 
mological dimensions for the line bundle associated to the divisor D. To describe 
the dimensions for all divisors, we write the two- variable vanderGeer-Schoof zeta 
function [37, Section 8] as a rank function 

[^] 



The summation is over divisor classes \D] . The decomposition in [37, Section 8] 
yields 



2g-2 



W^^{x,y)=J2 y’" + + 

i=0 deg[D]=i i>2g—2 i<0 

29-2 



-i-l+g 



= E E ^ 

0 deg[D]— i 



h h- . 

1 — a; i — y 



( 1 ) 



A different decomposition with a finite term that sums over special divisors only 
is presented in Section 10. 



6 Zeta Functions for Curves 



We make the connection between rank polynomials and zeta functions. Let Oi 
be the number of effective divisors of degree z on A. With Riemann-Roch, 



0 , 

h (g*+i-s 



for z < 0. 

l)/(9-l)) fori >25 -2. 



Thus, for i ^ {0, 1, . . . , 2g}, 



ai- {q+ l)ai-i + qai -2 = 0. 



( 2 ) 
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Define the Hasse-Weil zeta function as the generating function 

Z{T) = Y,aiT\ 

i>0 



Let Pi = Oi — (q + l)ai-i + qai- 2 - With (2), the zeta function can be written as 
the rational function 



Z{T) 



PjT) 

{l-T){l-qT)^ 



P{T)=po+PiT + ---+p2gT^^. 



Pellikaan [30] defines a two-variable zeta function as the power series 



■7/d-D) _ 1 

Z{T,u) = 



[D] 



u — 1 



and gives a decomposition 



{u-l)Z{T,u) 



2g-2 

E E 



yj-{D)rpde^D 



i—0 deg[D]=2 



^ /iTb (3) 

i>2g—2 i>0 



The summation is over divisor classes [D], For a base field F of g elements and 
for u = g, it agrees with the Hasse-Weil zeta function: Z{T,q) = Z{T). The 
vanderGeer-Schoof zeta function gives a generalization to number fields. In the 
version for curves it is defined as 

[D] 



We use it in the form 

[D] 

So that = W'^^{q‘,q*). Deninger [10, Proposition 2.1] establishes the 

relation 



{u-l)T^-0Z{T,u) = W^^{uT,T~^). 



(4) 



The short proof uses that the two sides agree termwise for the decompositions 
(1) and (3). For later use, we write the left side as 



{u-l)T^-^Z{T, u) 

2g-2 

= E E + Y - l)T*+i-9. (5) 

i—0 deg[D]— i i>2g—2 
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Example 1. The hyperelliptic curve 

+ y 



x'^ + X 
+ X + 1 



over the field of two elements is of genus two with special divisor classes: the 
zero class, the classes of the five rational points, and the canonical class (Figure 
5). It has two- variable zeta function 



Z{T,u) 



l + {4:-u)T+{9- 3u)T^ + (4m - u^)T^ + 
(1-T)(1-mT) 




Figure 5: Number of divisor classes with given h^,h^ (Example 1). 



7 Zeta Functions for Linear Codes 



In the previous section we saw that the rank polynomial is defined naturally for 
a curve and that it is related to the zeta function of the curve. The zeta function 
of a curve is the generating function for the number of effective divisors. In this 
section we define the zeta function of a linear code as the generating function 
for the normalized binomial moments of the code. 

Let C be a linear code of length n over the finite field F of g elements. For 
a subset S' C {1, 2, ..., n} let Cs be the subcode of C of words with support on 
S. Let ks denote the dimension of Cs- 



ks 



0, for 0 < |S| < d. 

k — {n— |S|), for n — c?-*- < |S| < n. 



The number of nonzero words in C$ counted up to multiplication by scalars is 
given by (g^® — l)/(g — 1). Let 




E 

|S|=i 



qks _ 1 

9-1 ■ 
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The Bj are called the binomial moments of the code. As in [34], we have 



B} 



0, for 0 < i < d. 

(”) — l)/{q — 1), for n — d-*- < i < n. 



Let bi = B^+i / be the normalized binomial moment. Extend the definition 
of bi to all i £ Z,hy setting 



h = 



id 






for z < 0. 

l)/(g— 1), for z > n — d — rf-*-. 



Define the zeta function as the generating function 



Z{T)=Y,hT\ 

z>0 



(6) 



For z ^ {0, 1, . . . ,n — d — d^ + 2}, 

~ (d + + qbi-2 = 0. (7) 



Let Pi = bi — {q + + qbi- 2 - With (7), the zeta function can be written as 

the rational function 



Z{T) 



P{T) 

{l-T){l-qT)’ 



where 



P{T)=po+PlT+---+ Pr.+2-d-d^ T^+2-d-d 



For the one-variable zeta function, 

{q - 1)T'=+‘^-”Z(T) 

n .. 

= H An H “ i^T^+k-n ^ - 1)^*+'=-". 

i=0 vJ |5|=i i>ra 

Define the two-variable zeta function for linear codes by replacing q with the 
variable u. Then 

, P{T,u) 

^ ^ (l-T)(l-zzT) 

is a rational function with deg-^ P{T, u) = n + 2 — d — d-^, and 
(zz- 1)T'=+‘^-”Z(T, u ) 

n 

= E An E + ^(zz^+'=-” - 

i—0 \i) |S|— i i>n 



(8) 
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The above form is convenient as a definition, but obviously it can be sharpened 
to get a smaller finite term. 

(u - l)r'=+‘^-”Z(T, u) 

n-\-2 — d—d~'~ . 

= Ad ^ (9) 

0 |5|— i i>n-\-2—d—d-^ 



Example 2. The formally self-dual binary code 

/I 0 0 0 1 1 0 0\ 

0100 0110 
^ ~ 0010 0011 
\0 0 0 1 1 0 0 1 / 

has as non-generic column sets: [S'! = 3 and fcg = 1 (4 times), [S'] = 4 and fcs = 1 
(25 times), and [S'! = 5 and fcg = 2 (4 times) (See Figure 6). The two-variable 
zeta function is 



Z(T,u) 



1 l + {4:-u)T+{9- 3u)T^ + (4m - u^)T^ + 
14 (1-T)(1-mT) 



4 
3 
2 
1 
0 

0 12 3 4 

Figure 6: Number of coordinate subsets with given corank, nullity (Example 2). 

8 Normalized Rank Functions 

For an algebraic curve we have the zeta function Z(T,u) and the rank function 
W^^{x,y). Equation (4) provides the transformation 

(u-l)T^-^Z{T,u) = W^^{uT,T-^) (10) 

For a linear code of length n and dimension k we will show that 

(m- 1)T'=+‘^-”Z(T,m) = 1F+(mT,T-1), 




( 11 ) 
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for 

j.k+1 yti—k+l 

Wi{x,y) = Wn{x,y) + h , 

I — X 1 — y 

and 

W„{x,y) = J2^ E 

i=0 Vjj A^G,\A\=i 

Thus Equation (10) for curves holds for linear codes if we normalize the rank 
polynomial of the linear code and add infinite tails. We call Wn the normalized 
rank polynomial of a matroid and FK+ the normalized rank function of a matroid. 
For a general matroid, the length n and dimension fc of a code should be replaced 
with the size n and the rank k of the matroid. The rank polynomial 
W{x,y) = ^a;dG)-r(A)y|A|-r(A) 

A 

for a linear code is defined with the matroid of the columns G of a generator 
matrix. For a subset S C G with complement A, let = r(G) — r{A) and 
= |A| — r{A). We rewrite the left side of (11) starting from the expression in 
(8). With ks = dim(Gs) = r(G) — r{A) and | 2 l| — r{A) = |A| — r(G) -b r(G) — 
r{A) = n — \S\ — k + ks, 

(u - 1)T'=+‘^-”Z(T, u) 

= E Tin E - i)r+'=-”. (12) 

i—0 |S|— 2 i>n 

Thus 



^ ^ rjAi-\-k—n 
i>0 



Equation (12) generalizes the definition of the zeta function Z{T, u) in (8) to 
matroids. A priori the zeta function has an interpretation only for representable 
matroids, as generating function for weight distributions. With this definition, 
(11) holds more generally for matroids. Note that to the minimum distance d 
of a code corresponds more generally the size of the smallest cocircuit d of a 
matroid. In dual terms, n — d is the size of the largest hyperplane in a matroid. 
The genus g in (10) has as corresponding matroid parameter the maximal corank 
of a cocircuit, or by duality the maximal nullity of a hyperplane. 



(m-1)T'=+‘^-”Z(T, u) 



= E cn E iuTf{T-Y + Y.^nTf 

V-i/ \S\—i i>n 



-\-k—n 



= Wn{uT,T-^) + 
= W+{uT,T). 



1 , (mT)'=+i T'^-^ 



1-uT 1-T’ 



g = max{r*(F) - r*(G) : C £ C*} = {n - k) - {d - 1). 
g = max{|id| — r{H) : H G %} = {n — d) — {k — 1). 
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Standard terminology refers to circuits of size one as loops and to cocircuits 
of size one as bridges or isthmuses. A linear code is without bridges if and only 
if d > 1 and without loops if and only if d-*- > 1. 

Theorem 3. Let M he a matroid without bridges of size n and rank k with 
normalized rank polynomial Wn{x,y). The average normalized rank polynomial 
for the n restricted matroids of size n — 1 is Wn{x,y) — The normalized 

rank function Wf[{x,y) of a matroid equals the average normalized rank function 
of its restricted matroids of size n — 1. 

Proof. The second claim is immediate from the first. The matroids restricted to 
n — 1 elements have the same rank as the original matroid. The contribution of 
a subset A with |A| < n is the same for the original and for the averaged rank 
polynomial. The unique set A of size \A\ = n contributes to the original 
rank polynomial and 0 to the averaged rank polynomial. 

A uniform matroid of size n and rank k has 

Wn{x, y)=x’^ + --- + x + l + y + --- + 



Z{T,u) 



W;t{x,y) 



l-xy 

a-x)ii-yy 



-T-1 ^ 1 

(l-uT)(l-T-i) “ (l-T)(l-uT)’ 



9 Greene’s Theorem 

The zeta function of a code was defined in Section 7 in terms of its binomial 
moments, that is to say in terms of its weight enumerator. The significant finite 
term in the rank function is defined in terms of the rank polynomial of the code. 
Thus (11) yields a relation between the weight enumerator of a code and its rank 
polynomial. We show that the relation is Greene’s theorem. 

First we relate the weight enumerator of a code to its binomial moments. 
The proof is short and well-known. Let B^{x,y) = ^27=0 

merator for the binomial moments. For a weight enumerator A{x, y) = x^ + 
{q — l)A^{x,y), we claim that B^{x,y) = A^{x + y,y). The support of a code- 
word of weight i contributes one to Bj for each subset S of size j that con- 
tains the support. So that Bj = (”Z*)Al, and B^{x,y) = A^{x + y,y). Let 

B{x, y) = {x + y)" + {q - l)B^{x, y) = A(x + y,y). Let 

” 1 

A„(x,y) = J2j^^i^"~y- (13) 

Define A\{x,y),Bn{x,y),B2{x,y) in the same way. From the definition of the 
zeta function, 



{q-l)Z{T)T’^ = Bl{l,T) (mod T"+i). 
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With (11), 

W'+(gT,r-i)T”-'= = Bl{l,T) (mod T”+^). 



(14) 



Adding 

l\n— fc+1 

) = 1/(1-T) 

to both sides gives an equality among polynomials of degree n. 

W„(<zr,T-i)T"-'= = B„(l,T) (15) 

The normalization on both sides is the same at each coefficient of T* and the 
relation holds if we replace Wn and with W and B, respectively. We find 

B{x,y)=y-->^x’^W{qy,'^)). (16) 

X y 

Finally A{x + y^y) = B{x, y) gives Greene’s theorem. 

Mx,y) qy x-y 

{x — yYy'^~^ x — y’ y 

The purpose of the above proof is to make the relation between (11) and Greene’s 
theorem explicit. Relation (16), that provides the connection, has a direct and 
much shorter proof. Let be the number of S' C |1, 2, . . . , n| with |S| = z and 
ks = dim(Gs) = 1. Then 

Ri(x, y) = j2J2^‘ ^x"-y, B(x, y) = J2E cyx^-y- 

i l ^ i I 

On the other hand, let S have complement A in G. As in the previous section, 
we use the rank polynomial 



W{x,y) = 

with r(G) — r{A) = ks and \ A\ — r{A) = n — \S\ — k + ks- 



W(a:,z/)=j/-'=^^G'(a:y)y-L 

i I 

And (16) follows. By using (15) we find a normalized version of Greene’s theorem. 
For A{x -b y, j/) = B{x, y) homogeneous of degree n, 

^n(l,^) = S„(l,T)(l-T) (modT"+i). 

As in [12], 

A„(1, t)(i + t)"+i = ^)(1 + (mod r+i). 
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In another form, using (14), 

= + (modr-'^+i). (17) 



Theorem 4 ([11]). Let C be a linear eode of length n with minimum distance 
d > 2. The expression T)j(l,t)(l + tY^^t~‘^ modulo is the same for the 

code and for the average over its n punctured codes ( obtained by restriction of 
the code to n — 1 coordinates) . 

Proof. Apply Theorem 3 to the right side of (17). 



10 Decomposition of Zeta Functions 



The decomposition of IT®'® in (1) and of Z{T,u) in (3) uses as finite term a 
summation over all divisor classes of degree 0 < [D] < 2g—2. This decomposition 
goes back to Weil [40] and is followed in [24], [33]. Duursma [14, Lemma 5] and 
vanderGeer-Schoof [37, Section 2] use a different decomposition. Two properties 
of divisors ensure that W^^{x,y) is a rational function. 

(Wl) The exponents h^{D) and h^{D) are nonnegative, such that for almost 
all [D] either /i° = 0 or = 0. 

(W2) The number of [D] with given difference — h^ is constant and equal to 

h. 



Starting from these properties, we define as finite term 
W*{x,y)= 



h°>h^ 



h^>h° 



As in [37], divisors with h^ = h^ in Y)' sxe counted with multiplicity 1/2. 
W^^{x,y) = W*{x,y)+ 

hO>h^ h^>h° 

l-xy 



= W*{x, y) + h 



(l-x)(l-j/)' 



The tail in lT®®(a;,j/) assumes that all h divisor classes of a given degree are 
non-special. The finite term W*{x,y) contains the necessary corrections for the 
special divisors. The same decomposition applied to Z{T,u) yields 



Z{T,u) 



E' 

h°<h^ 



h° 1 

^ / rph°-h^+g-l 

U — 1 



+ E 






ho>m 



u — I 



°-h^j^h°-h^+g-l / 



h°>h^ 



- 1 
u — I 



T 
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After collecting the variables uT, T ^ 

{u-l)T^-^Z{T,u)= -b 

h°<h^ 

+ {uTf° (r-'*' - -f 



hO>h^ 
rGS 



hO>h^ 






And we recover (10). As in [14], we define Z*{T,u) via 

hT3 

2(T.„) = Z-(T.0+ (,_^)(,-„^) . (18) 

So that Z* (T, u) is a polynomial with contributions by special divisors only. The 
decomposition is compatible with the decomposition of W{x,y), 

{u - Z* (u,T) = W*{uT,T-^). 

Conditions (Wl) and (W2) hold for the normalized rank function of a 
matroid, for h = 1. And the above decomposition carries through. For a matroid 
we find 

W+ {x, y) = W* {x, y) + y) ’ 

for polynomials W*{x, y) and Z*{T, u), such that VF* is the normalization of the 
polynomial 

W*{x,y)= Y,' x>^°-'^\{xy)>^^ -1)+ ^ - 1). 

h°>h^>0 h^>h°>Q 



11 Support Weights 

With a linear code is associated a second family of weight enumerators, the so 
called support weight enumerators. They first appeared in [21] and [18]. They 
became object of intense study after Wei described an application to cryptog- 
raphy [39]. For an overview of results we refer to the paper by Tsfasman and 
Vladuts [34]. The papers [13], [3] make a connection with matroids. A linear 
subspace D c C has support 

Supp(T>) = {i : 3v G D,Vi ^ 0}. 

The support weight of D is ]Supp(il)l (also called effective length or generalized 
Hamming weight). The j-th support weight enumerator is defined as 

n 

A\x,y)= Y 

Dec, dimD=j i=0 
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For the weight enumerator A(x, y) of the code, we find A{x, y) = A^{x, y) + {q — 
\)A^{x, y). The support weight enumerators are determined by the rank polyno- 
mial of the matroid of the code. But there is no immediate analogue of Greene’s 
theorem and unlike the usual weight enumerators, support weight enumerators 
can in general not be obtained as the evaluation of the rank polynomial with 
suitable arguments. But they can be written as a linear combination of such 
evaluations. For this we need to consider the linear codes that are gener- 

ated by the code C but have their coefficients in the extension field F^m. Klove 
[22, Lemma 4] gives for the weight enumerator of C^™'\ 

m 

A{C'^'^^){x,y) = ^[m]jA^(a;,y). 
i=o 

where [m]j = (g"* — — g) • • • (g’” — Let A^"^\x,y) be the first support 

weight enumerator for the code That is, j/) = x'^ + (g™ — 

(x,y). The above relation becomes 

m 

[m]iA^"^'>{x,y) = Y^[m]jA^{x,y). (19) 

i=i 

The relation appears in [21]. Theorem 3.6 [34] is similar but lacks the factor 
[m]i = (g™ — 1). The relation is invertible so that A^{x,y) can be expressed as 
a linear combination of AA)(^x, y), ■ ■ ■ , AA)[x, y). 

Let C\ be the number of S' C {1, 2, . . . , n} with ks = dim(Cs) = I and |S| = i. 
The Gaussian coefficient 

■n (g^-l)(g^-g)...(g^-gJ-l) 

j\ q -q)--- {q^ - q^~^) 

gives the number of j-dimensional subspaces in a Z-dimensional vector space over 
Fq. For the code we define binomial moments b\^\ 



B^'^\x,y) = EE 



x^~Y = 



i |S|=i ^ <? 



i I 






X y . 



J q" 



Then ijl™) (x,y) = A^"^\x + y,y). For the support weights, define binomial 
moments Bf via 



B^{x,y) = 

i |S|=i 



x^~Y = 



= EE^.' 



i I 



x^~Y = 
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Then B^{x,y) = A^{x + y,y)- As in [3], Equation (19) now follows from the 
relation for Gaussian coefficients 




The left side is the number of nonzero row vectors of length I over F^m . The 
right side is the number of nonzero mx ^-matrices over counted by their rank j. 

The zeta function Z(T) of a linear code was defined in (6) as the generating 
function for the normalized binomial moments. 

[x^-YT^-^]Z{T){y + xTr = 

In general, for a code over the extension field F^m we have 

[T^-‘^]Z{T,q'^){y + xT)" = B^”^\x,y). 

The decomposition [m]iB^'^'> (x,y) = 2/) implies the existence 

of generating functions Zj(T) with 

m 

HiZ(r,r) = ^H.-z,(T), (20) 

i=i 

[T--‘^]Z,{T){y + xTr = B^{x,y). (21) 

To describe Zj{T) we make use of (18). For the polynomial part, let 

{u-1)Z*{T,u) = Y,[u],Z*{T), (22) 

where [u]j = {u-l){u — q)--- (u — q^~^). So that the right side gives the Newton 
decomposition of the polynomial (m — l)Z*(T,u) considered as polynomial of 
degree g-^ in u with respect to the sequence (1, q,q“^, . . . , q^ “^). For the rational 
part, let 

be a generating function for the Gaussian coefficients. Then 

I m 

l’"l‘ (l-T)(l-rT) ' g[”’tG,(r). 

Adding the two contributions yields 
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Theorem 5. The generating function Zj{T) for the j-th support weights, as 
defined by (21), can he written as 

Zj{T) = Z*{T) + hT^Gj{T) {h=l,g = n+\-k-d) 

for a polynomial Z*{T) as in (22) and for Gj{T) as in (23). For j > g^ , Z*{T) 
vanishes. 



Example 3. The first order Reed-Muller code [16,5,8] has 



1 Q 11^ 



143 13 

= Zl{T) + {u-2) Z*{T). 



_ 



13 



ur 



Its dual, the second order Reed-Muller code [16, 11,4], has 

Z*{T,u) = — + —T+—uT^+—u^T^+—u^T^ 

^ ’ 13 13 143 143 429 

= Z({T) + {u-2) Z*{T) + {u - 2) {u- 4) Z*(T) 
-h(M-2)(u-4)(w-8) Z*(T). 



The g^ polynomials Z((T),... ,Z*^(T) determine Z{T,u) and thus the 
weight distribution of for all m > 1. But some of the Z*{T) may be 

redundant. 

Theorem 6. The two-variable zeta function Z(T,u) is determined by its values 
for u = q, . . . ,q^, or equivalently by Z({T), . . . , Z’){T), where 

A = max{/i° : [x^ y^ ]W{x,y) yf 0} < min{g,g-*~}. 

In particular, for a linear code A = max{/cs : [S'] = n — k}. 

Proof. Let A be minimal such that for all elements in the matroid either the 
corank or the nullity is at most A. Then W{x,y) can be obtained from its eval- 
uations on A distinct hyperbolas xy = qi,q 2 , . . . ,q\. 

The problem of how many weight distributions determine all remaining weight 
distributions is posed in [21]. That paper suggests a solution that is one weaker 
than the proposition. Also, the solution depends on an unproved condition. The 
condition always holds and a minor modification strengthens the solution by 
one, so that it agrees with the Theorem. In Example 3, A = 1. 



The r-th minimum support weight dr(C) of the code G is defined as 
dr{G) = min{jSupp(D)l : dimD = r} = min{jS'] ■. k$ = r}. 

Wei gives a relation for the weight hierarchy of a code and its dual [39] . 

{1,2,... , n} = {dr{G) : r = 1, . . . ,k} 

U (n -I- 1 — dr{G^) : r = 1, . . . ,n — k}. (24) 




Combinatorics of the Two- Variable Zeta Function 131 

In terms of the rank polynomial of the code 

dr{C) = min{n — k + r — s : [x'"y'^]Wc{x, y) yf 0}. (25) 

In Figure 7, the minimum support weights correspond to the k horizontal steps 
in the path of length n from the closed dot to the open dot. The minimum 
support weights of the dual code correspond to the n — k vertical steps of the 
same path in the opposite direction. This proves (24). 

N ‘F 

/ / 

n — k 





Figure 8: Rank polynomial of a curve and its gonality sequence. 
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0 1 r k 

Figure 9: Rank polynomial and r— th support weights. 



n — k 
t 

n — k — s 

0 

0 1 k 

Figure 10: Rank polynomial and Hamming weights up to s. 

Figure 9 indicates the part of the rank polynomial that is needed to enumerate 
the support weights of subspaces of dimension at least r in a code. Figure 10 
indicates the part of the rank polynomial that is needed to enumerate words of 
weight at most s in a code. The part of the rank polynomial that enumerates 
the words of weight at most s enumerates the support weights of dimension t in 
the dual code for k — — t) < t — {n — k — s), or for dt{C*) > n — s. 

12 Algebraic-Geometric Codes 

Let X be a curve, D a divisor and V={Pi,P 2 , . . . , P„) a list of n rational points 
on the curve. The code C{D,P) is the image of L{D) under evaluation in V. 
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The rank polynomial of the code is 

Wc{x,v)= ^ 

BC{1,2,... ,n} 

where and are the corank and nullity of a subset, respectively. Define the 
geometric rank polynomial of the code as 

Wx{x,y)= Y. 

0<E<Pi + --- + P„ 

We establish the relation between Wc and Wx ■ The dimension of the code and 
its dual are 

k = 1{D) -l{D-{Pi + --- + P„)), = f(D - (Pi + • • • + P„)) - i{D). 

Let a = 1{D — {Pi -\ b Pn)) and = i{D) he the abundance of the code and 

its dual, respectively [29]. With 

/i°(P) = k- {1{D) - 1{D - E)) = 1{D - P) - a, 
h^{E) = \E\ - {1(D) - 1{D - E)) = i{D - E) - a^, 

we find 

Wx{x,y) = (26) 

The gonality sequence {74} of a curve is defined with jt = minjdeg F : 1{F) > t}. 
Figure 8 shows the relation between the rank function of a curve and its gonality 
sequence. Combination of (26) with (25) yields Munuera’s lower bound for the 
r-th Hamming distance dr of a code in terms of the gonality sequence of a curve 
[25], [42]. With r-s = h°-h^ = k- \E\, 

dr{C) = min{n — |P| : 1{D — E) = r + a and i{D — E) = s + a'*“}, 

> min{n — |P| : 1{D — E) = r + a}, 

>n-degD + y^+a- 

Next, consider a family of codes Ci = C, C2) ■ • • defined with inequivalent 
divisors Di = D, D 2 , ■ ■ ■ , of the same degree 2g — 2< deg{D) < n. All codes 
have a = a-*- = 0. 

h n I h 

Ywr.,cM.y) = E PA E 

i=i j=o Vjd 0 < E < P 

deg E = j 

n 

= E E 

j=0 deg[B]=i 

deg D — n<deg[i^]<deg D 
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The last summation is over all divisor classes with degree in the given range. 
The range includes the interval 0 < deg[F] <2g — 2. Adding 



^k+i 

1 — X 



y 



.n-k-\-l 

1 - 2 / 



= h 



degD+2-g 

1 — X 



y 



n— deg D-\-g 
1 - 2 / 



to the equation yields 



h 

J2w+c,{^,y) = W^^{x,y). 



(27) 



Theorem 7. Let Ci,... ,Ch be codes defined with inequivalent divisors of the 
same degree 2g — 2 < degD < n. The two-variable zeta function of the h linear 
codes and the two-variable zeta function of the curve satisfy 

h 

'^TS-3(c:*'>Zc,{T,u) = Z{T,u) 

i=l 

Proof. This follows from (27) with (10) and (11). Note that the Goppa bound 
for codes gives g{Ci) = n-\-l — k — d<g. 
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Abstract. Two orthonormal bases B and B' of a d-dimensional complex 
inner-product space are called mutually unbiased if and only if = 

l/d holds for all 6 £ B and b' £ B' . The size of any set containing 
pairwise mutually unbiased bases of C‘^ cannot exceed d -|- 1. If d is a 
power of a prime, then extremal sets containing d -|- 1 mutually unbiased 
bases are known to exist. We give a simplihed proof of this fact based 
on the estimation of exponential sums. We discuss conjectures and open 
problems concerning the maximal number of mutually unbiased bases 
for arbitrary dimensions. 

Key words: Quantum cryptography, quantum state estimation, Weil 
sums, finite helds, Galois rings. 



1 Motivation 

The notion of mutually unbiased bases emerged in the literature of quantum 
mechanics in 1960 in the works of Schwinger [18]. Two orthonormal bases B and 
B' of the vector space are called mutually unbiased if and only if |( 6 | 5' ) p = 
1/d holds for all b G B and all b' £ B'] here {b\b') denotes the standard 
hermitian inner product on the complex vector space that is anti-linear in the 
first argument and linear in the second, {b\b' ) = b^b' . Schwinger realized that no 
information can be retrieved when a quantum system which is prepared in a basis 
state from B' is measured with respect to the basis B. A striking application 
is the protocol by Bennett and Brassard [5] which exploits this observation to 
distribute secret keys over a public channel in an information-theoretically secure 
way (see also [4]). 

Any collection of pairwise mutually unbiased bases of has cardinality 
d -I- 1 or less, see [3, 11, 13, 15, 22]. Extremal sets attaining this bound are of 
considerable interest. Ivanovic showed that the density matrix of an ensemble 
of d-dimensional quantum systems can be completely reconstructed from the 
statistics of measurements with respect to d -b 1 mutually unbiased bases [14]. 
Furthermore, he showed that the density matrix cannot be reconstructed from 
the statistics of fewer measurements. 
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Let N{d) denote the maximum cardinality of any set containing pairwise 
mutually unbiased bases of C^. It is known that N{d) = d + 1 holds when 
d is a prime power, see [3, 14,22]. We derive a simplified proof of this result, 
which takes advantage of Weil-type exponential sums. We present two different 
constructions — both based on Weil sums over finite fields — in the case of odd 
prime power dimensions. We exploit exponential sums over Galois rings in the 
case of even prime power dimensions. If the dimension d is not a prime power, 
then the exact value of N{d) is not known. We discuss lower bounds, conjectures, 
and open problems in the fourth section. 



2 Odd Prime Powers 



Let Fg be a finite field with q elements which has odd characteristic p. Denote 
the absolute trace from Fg to the prime field Fp by tr( • ). Each nonzero element 
a: G Fq defines a non-trivial additive character Fg ^ by 



where Up = exp(27rz/p) is a primitive p-th root of unity. All non-trivial additive 
characters are of this form. 



Lemma 1 (Weil sums). Let Fg be a finite field of odd characteristic and x 
a non-trivial additive character of F^. Let p{X) G Fg[X] he a polynomial of 
degree 2. Then 



X{p{x)) 

fCGFg 






We refer to [17, Theorem 5.37] or [7, p. 313] for a proof. We will use this lemma 
in the following constructions of mutually unbiased bases. 

Convention. In the following, we will tacitly assume that the elements of F^ 
are listed in some fixed order, and this order will be used whenever an object 
indexed by elements of Fg appears. 

We begin with a historical curiosity. Schwinger introduced the concept of 
mutually unbiased bases in 1960. However, he did not construct extremal sets 
of mutually unbiased bases, except in low dimensions, and no further progress 
was made during the next twenty years. Alltop constructed in 1980 complex 
sequences with low correlation for spread spectrum radar and communication 
applications [1]. It turns out that the sequences given by Alltop provide p 1 
mutually unbiased bases in dimension p, for all primes p > 5. Unfortunately, 
Alltop was not aware of his contribution to quantum physics, and his work was 
not noticed until recently. Our first construction generalizes the Alltop sequences 
to prime power dimensions. 
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Theorem 1. Let Fg be a finite field of characteristic p > 5. Let Ba denote the 
set of vectors 

Ba. = {bx,a I A e F J, ^ U^(k+c.fi+Hk+a.))\ 

V ^ /fc6F, 

The standard basis and the sets Ba, with a G F,, form an extremal set of q + 1 
mutually unbiased bases of the vector space C*. 

Proof. Notice that Ba is an orthonormal basis because 

(&K.a|&A,a) = - 

® fceF, 

Indeed, the right hand side equals 0 when k X because the argument k + a 
ranges through all values of F^; and equals 1 when k = X. 

Note that all components of the sequence b\^a have absolute value l/^/q, 
hence the basis Ba and the standard basis are mutually unbiased, for any a G Fg. 

By computing the inner product K^K.al^A,/?)! for a yf /3, we see that the terms 
cubic in k cancel out and, moreover, that the exponent is given by the trace of 
a quadratic polynomial in k. By Lemma 1 the inner product evaluates to q~^!'^ , 
hence Ba and B^ are mutually unbiased. □ 

Remark 1 . A remarkable feature of the previous construction is that knowledge 
of one basis Ba is sufficient because shifting the indices by adding a field element 
yields the other bases. The construction does not work in characteristic 2 and 
3 because in these cases the sets Ba and with a fi, are not mutually 
unbiased. 

Ivanovic gave a fresh impetus to the field in 1981 with his seminal paper [14]. 
Among other things, he gave explicit constructions of p + 1 mutually unbiased 
bases of C^, for p a prime. His construction was later generalized in the influential 
paper by Wootters and Fields [22], who gave the first proof of the following 
theorem. This proof was recently rephrased by Chaturvedi [9], and an alternate 
proof was given by Bandyopadhyay et al. [3]. We give a particularly short proof 
by taking advantage of Weil sums. 

Theorem 2. Let F^ be a finite field with odd characteristic p. Denote by Ba = 
{va,b I b G Fq} the set of vectors given by 

The standard basis and the sets Ba, with a G F^, form an extremal set of q + 1 
mutually unbiased bases of C®. 

Proof. By definition 

|(l^a.6|W<i)l = - E + . (1) 

^ X^¥q 
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Suppose that a = c. The right hand side evaluates to 1 if 6 = d, and to 0 if 6 d. 
This proves that Ba is an orthonormal basis. The coefficients of the vector Va,b 
have absolute value hence Ba is mutually unbiased with the standard 

basis. On the other hand, if a yf c, then the right hand side evaluates to by 

Lemma 1, which proves that the bases Ba and Be are mutually unbiased. □ 

Example 1. In dimension 3, this construction yields the bases 

Bo = {wo,o,Wo,i,uo.2} = { 3"1/2(1 ,w3,w|), 3"^/2(1, w|, Wg)}, 

Bi = {vip,vi^i,vi^2\ = { 3 “ 1 /^( 1 ,W 3 , W 3 ), 1), 3“^/^(l, 

B 2 = {v2fl,V2p,V2,2\ = { 3"i/2(l,w|,w|), 3"1/2(1,W3,1), ^ 3 )}^ 

which form together with the standard basis four mutually unbiased bases. 



3 Even Prime Powers 

We showed in the last section that extremal sets of g + 1 mutually unbiased bases 
exist in dimension g if g is a power of an odd prime. In this section we treat the 
case when g is a power of two. We cannot use Weil sums because Lemma 1 does 
not apply in even characteristics. However, it turns out that exponential sums 
over a finite Galois ring can serve as a substitute. 

We recall some elementary facts about finite Galois rings, see [20] for more 
details. Let Z4 denote the residue class ring of integers modulo 4. Denote by (2) 
the ideal generated by 2 in Z4[x]. A monic polynomial h{x) e Z 4 [xJ is called 
basic primitive if and only if its image in (2) = Z 2 IX] under the canonical 

map is a primitive polynomial in Z2[a;j. Let h(x) be a monic basic primitive 
polynomial of degree n. The ring GR(4,n) = Z 4 [x]/{h{x)) is called the Galois 
ring of degree n over Z4. 

The construction ensures that GR(4, n) has 4” elements. The element ^ = 
X + {h{x)) is of order 2" — 1. Any element r S GR(4, n) can be uniquely written 
in the form r = a+26, where a, & G 7^ = {0, 1, . . . , “^}. This representation 

in terms of the Teichmiiller set 7^ is convenient, since it allows us to characterize 
the units of GR(4, n) as the elements a + 2& with a yf 0. 

The automorphism a : GR(4, n) — > GR(4, n) defined by a(a + 2b) = + 2P 

is called the Frobenius automorphism. This map leaves the elements of the prime 
ring Z4 fixed. All automorphisms of GR(4, n) are of the form for some integer 
A: > 0. The trace map tr: GR(4,n) — > Z4 is defined by tr(x) = 

Lemma 2. Keep the notation as above. The exponential sum E : GR(4, n) ^ C 
defined by E{r) = X)a;eT„ tr(rx)) satisfies 

( 0 ifrG 2 T„, ry^O, 

|T(r)| = <^ 2" ifr = 0, 

I \/2" otherwise. 
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The above lemma is proved in [8, Lemma 3], see also [23]. This lemma will be 
crucial in the next construction of mutually unbiased bases. 

Theorem 3. Let GR(4, n) he a finite Galois ring with TeichmilUer setT^. For 
a € Tn, denote by Ma = {va,t \ b G %i\ the set of vectors given by 

Va,b = 2“"/^ ^exp ^^^tr(a + 2b)x^ 

The standard basis and the sets Ma, with a G Tn, form an extremal set o/2" + 1 
mutually unbiased bases of . 

Proof. By definition, 






\{Va,b\Va ,b )| 




If both vectors belong to the same basis, i.e., when a = a' , then Lemma 2 shows 
that the right hand side evaluates to 0 in case b b' , and to 1 in case b = b' . 

This shows that Ma is an orthonormal basis. 

If the vectors belong to different bases, i.e., when a yf a', then Lemma 2 
shows that [(ua.fcl^'a ,6)1 = 2“”/^, hence Ma and Ma are mutually unbiased. 
The entries of the vectors Va,b have absolute value 2“"/^, thus the standard 
basis and Ma are mutually unbiased for all a G GR(4,n). □ 

Example 2. We illustrate this construction by deriving five mutually unbiased 
bases in In this case, the Galois ring GR(4, 2) = Ij4[x\/{x^ + x + 1) with 
16 elements is the basis of the construction. The Teichmiiller set is given by 
?2 = {0, 1,3^ + 3,^}. Recall that an element of GR(4, 2) can be represented in 
the form a + 26 with a,b G T2. By definition, tr(a + 26) = a + 26 + + 26^. 

Gomputing the basis vectors yields 

Mo ={i(l, 1, 1, 1), i(l,l, -1,-1), i(l,-l,-l,l), 1,-1)}, 

Ml = {i(l,-l,-i,-i), i(l,-l, i, i),\{l, 1, i,-i),\{l, l,-i, t)}, 

-^3^+3 {2^^’ b b 1)5 2^^’ b L 1)5 2)^’ b b 1)5 2)^’ b b 

Mi = i, 1), 5(1, i, z,-l), i(l, i,-i, 1)}. 

These four bases and the standard basis form an extremal set of five mutually 

unbiased bases of 



4 Non Prime Powers 

In the previous two sections, we established that the number N{d) of mutually 
unbiased bases in dimension d attains the maximal possible value, N{d) = d+ 1, 
when d is a prime power. In contrast, the exact value of N{d) is not known for 
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any dimension d which is divisible by at least two distinct primes, not even in 
small dimensions such as d = 6. 

The problem to determine N{d) is similar to the combinatorial problem to 
determine the number M{d) of mutually orthogonal Latin squares of size d x d. 
The number M{d) is exactly known for prime powers but not in general when 
d is divisible by at least two distinct primes, see [6, 16] for more details. Lower 
bounds on the number of mutually orthogonal Latin squares can be obtained 
with the help of a lemma by MacNeish. Our next result formulates a similar 
statement for the number N{d) of mutually unbiased bases. 

Lemma 3. Let d = • • •p“’' he a factorization of d into distinct primes pi. 

Then 

N{d) > min{7V(pr),fV(p“^), . . . , N{pf^)}. 

Proof. We denote the minimum by to = min^ N ) . Choose to mutually unbi- 
ased bases b[''\ . . . , Bm of , for all i in the range 1 < z < r. Then 

{B^}^ O . . . O : fc = 1, . . . , to} 

is a set of to mutually unbiased bases of □ 

An easily memorable form of the above lemma is N{nm) > min{A^(n), 1 V(to)} 
for all TO, n > 2. A simple consequence is that N{d) > 3 for all dimensions d> 2, 
that is, in each dimension there are at least three mutually unbiased bases. 

Many researchers in the quantum physics community seem to be under the 
impression that N{d) = d -|- 1 for all integers d > 2. However, there is some 
numerical evidence that considerably fewer mutually unbiased bases might be 
possible if the dimension is not a prime power. In fact, a conjecture by Zauner 
on the existence of affine quantum designs implies that N(6) = 3 rather than 
iV(6) = 7, see [24]. 

Conjecture 1 (Zauner). The number of mutually unbiased bases in dimension 6 
is given by iV(6) = 3. 

Apparently, Zauner did considerable numerical computations to bolster his con- 
jecture. Our computational experiments indicate that N{d) is in general smaller 
than d -|- 1 when d is not a prime power. 

Problem 1. Does N{d) = d+1 hold for any dimension d > 2 that is not a prime 
power? 

Another interesting problem concerns lower bounds on N{d). Recall that for 
mutually orthogonal Latin squares, M{d) oo for d ^ oo, as shown by Chowla, 
Erdos, and Strauss [10]. It is natural to ask whether a similar property holds for 
the number of mutually unbiased bases: 

Problem 2. Does N{d) ^ oo for d ^ oo hold? 

More constructions of mutually unbiased bases are needed to prove such a result. 
A result similar to Wilson’s theorem on the number of mutually orthogonal Latin 
squares [21] would be particularly interesting. 
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5 Conclusions 

Mutually unbiased bases are basic primitives in quantum information theory. 
They have applications in quantum cryptography and the design of optimal 
measurements. It is known that in dimension d at most d+ 1 mutually unbiased 
bases can exist. In this paper, we gave a simplified proof of the fact that d + 1 
mutually unbiased bases exist in when d is a prime power. 

Specifically, we were able to generalize the construction by Alltop to powers 
of a prime p > 5. Elementary estimates of Weil sums allowed us to derive a 
particularly short proof of a theorem by Wootters and Fields. For dimensions d = 
2", we took advantage of known properties of exponential sums over GR(4,n) 
to obtain extremal sets of mutually unbiased bases. 

An open problem is to determine the maximal number of mutually unbiased 
bases when the dimension is not a prime power. We derived an elementary lower 
bound for abritrary dimensions and discussed some conjectures and open prob- 
lems. Finally, we recommend the mean king’s problem [2, 12, 19] as an enjoyable 
application of mutually unbiased bases. 
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Abstract. This paper presents a new construction of matrices with no 
singular square submatrix. This construction allows designing erasure 
codes over finite fied with fast encoding and decoding algorithms. 



1 Systematic MDS Erasure Codes 

It is well known that a [n, k, <i]-error correcting code is Maximum Distance Sep- 
arable (MDS) if and only if its k x n-generator matrix does not contain any 
singular k x fc-square submatrix [1, p. 319, Cor. 3]. Similarly, a MDS code is sys- 
tematic if and only if its generator matrix has the form (Ik\R), where Ik is the 
k X /c-identity matrix and i? is a (/c x (n — fc))-matrix such that any r x r-square 
submatrix is nonsingular [1, p. 321, Th. 8], for r < k. 

It should be noted that systematic MDS codes built from this property (i.e. 
from the matrix R) are used in practical computer communications to cope with 
losses of data packets [2] . 

Cauchy matrices are generally used to build matrices over finite fields whose 
any square submatrix is non-singular [3]. A r x r-Cauchy matrix is defined as 
( a -b ^iH=o ^here (adiCp and are given vectors of (F^)'’. Such a matrix 

is nonsingular if and only if the elements Uj, i = 1, ... ,r are distinct, the elements 
bj, j = 1, . . . ,r are distinct and at + bj ^ 0, 1 < i < j < j. It can be easily 
verified that any submatrix of a Cauchy matrix is a Cauchy matrix, and then 
any square submatrix of a nonsingular Cauchy matrix is nonsingular. It should 
be noted that the Vandermonde matrices defined over finite field can contain 
singular square submatrices [1, p. 323, Problem 7]. 

2 A New Class of Matrices with No Singular Square 
Submatrices 

Theorem 1. Let us denote by A and B two r x r -matrices of rank r over a given 
field such that any r x r-submatrix of the r x 2r-matrix (A\B) has a rank r. Then, 
the matrix A~^B is such that any of its square submatrices is nonsingular. 
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Proof. Let us denote by W the r x 2r-matrix {A\B). The product A~^W is of the 
form (/r|C), where C = A~^B. Since, by construction, any r x r-submatrix of 
W is nonsingular then any r x r-submatrix of the product A~^W is nonsingular. 

By combining [1, p. 319, Cor. 3] and [1, p. 321, Th. 8 ], it can be stated 
that a r X 2r-matrix on the form [/rlC] whose any r x r-matrix is nonsingular 
is necessarily such that C does not contain any r' x r'-singular submatrix for 
r' < r. This concludes the proof. 



Note that it can be verified that these matrices are not Cauchy matrices. Let 
us give a counterexample. Let us work in the field IF 5 and let us consider the 



matrices A and B respectively equal to 
A~^ X B is equal to 



2 4 
4 1 



1 1 
3 4 



1 1 
1 2 
43 
2 3 



and 



1 1 
34 



Then, the product 
From the definition of Cauchy 



matrices, it can be easily verified that this product cannot be a Cauchy matrix. 

The construction was presented with square matrices, but it can be general- 
ized when xl is a fc X fc-matrix and B is & kx (n — k) matrix. One can then build 
a, kx (n — k) matrix , for any ’’suitable” n (n> k), whose any square submatrix 
is nonsingular. Such matrix can be directly used to build the generator matrix 
of a systematic MDS codes (see Section 1). 



3 Application of this Construction to Build Fast Erasure 
Codes 

In order to apply this construction to design efficient erasure codes for computer 
communications, one must consider matrices for which there exist fast matrix- 
vector multiplication and fast inversion algorithms. The Vandermonde matrices 
have these properties. These matrices are defined from a vector of r distinct 

elements (oi, . . . , a^) of (Fg)” as ( ] 

V i,j = l 

The determinant of this matrix is equal to Y[i<i<j<r(^i ~ ®i)- 
As recalled in Section 1, the Vandermonde matrices defined over finite field 
contains singular square submatrices [1, p. 323, Problem 7]. An upper bound 
of the number of singular submatrices of Vandermonde matrices is given in [4] . 
Then, these matrices cannot be directly used to design systematic erasure codes. 

However, they can be used in our construction. Indeed, let us define the 
k X /c-matrix A as the Vandermonde matrix V {a \, . . . , afc), where (oi, . . . , ak) 
is a vector of k distinct elements of F^. Let us now define the kx {n — fc)-matrix 

B = [bi A such that bi ,■ = d!-, where (Bi , . . . , Bn-k) is a vector 

of n — k distinct elements of F^ and such that yf jBj^ for any i = 1 , . . . , fc and 
any j = 1, . . . , n — fc. It can be easily verified that A and B verify the conditions 
given in Theorem 1. These matrices can therefore be used to design a systematic 
MDS erasure code. 

To optimize this construction, we make the assumption that fc is a divisor of 
q—1 and we suggest to take the vector {a \, . . . , au) equal to ( 1 , a, . . . , 
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where a is an element of IFg of order k. The corresponding Vandermonde matrix 
is then denoted by V (a). This choice has two objectives. First, the inversion of A 
is direct since {V{a))~^ ~ i ^ Then, the matrix-vector multiplication 

with V (a) (and V (a“^)) can be performed in 0(/c log k) operations by using Fast 
Fourier Transform (FFT). The general term of the product II = V{a)~^ x B is 

then 7T,,j = fc-i X 

Let us now describe the coding and the decoding algorithms and evaluate 
their complexities. As explained in Section 1, the generator matrix of the code 
is G = (Ik\R), where Ik is the k x fc-identity matrix and R is the constructed 
matrix. 



The coding operation consists simply in multiplying the information vector 
u by the matrix G. It should be first noted that the generator matrix can be 
factorized into the form G = {a) x\V (a“^)| B], The coding is done by multi- 

plying u and V{a), then by multiplying the resulting vector and \V {a~'^)\B], The 
first vector-matrix multiplication can be processed in 0{k\ogk) operations by 
using FFT. Since the matrix \V {a~^)\B] can be considered as the k first rows of 
the n X n-matrix V(l, . . . , . . . , (3n-k), the second matrix- vector 

multiplication can be performed in 0(n log n) if FFT can be used (i.e. if the set 
{1, . . . , , Pi, . . . , Pn-k} can be expressed as the first n powers of an 

element of IF^ of order n) and in O(nlog^n) otherwise [5]. 

The first step of the decoding consists in considering the k x fc-submatrix 
of G corresponding to the k received symbols. This matrix is then inverted 
and multiplied by the received vector to obtain the information vector. Since 
any k x fc-submatrix of G can be considered as the product of two Vandermonde 
matrices, the decoding complexity is 0(fclog^ k) operations for the inversion and 
0{klog^ k) for the matrix- vector multiplication [5]. It should be noted that, in 
all the cases, the presented complexities are better than the coding and decoding 
complexities of erasure codes constructed from Cauchy matrices, even when FFT 
can not be used (i.e. when k and n cannot be chosen accordingly). 
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Abstract. We construct a tower of function fields Fq G Fi G ■ ■ ■ over 
a finite field such that every place of every Fi ramifies in the tower 
and lim genus (Pi) /[Pi : Fq] < oo. We also construct a tower in which 
every place ramifies and limNFi/[Fi : Pb] > 0, where Npi is the num- 
ber of degree- 1 places of Pi. These towers answer questions posed by 
Stichtenoth at Fq7. 



1 Introduction 

Let g be a prime power, and let be a finite field of size q. By a function field 
over Fq, we mean a finitely generated extension K/¥q of transcendence degree 1 
in which Fq is algebraically closed. By an extension of function fields K' /K, we 
mean a finite separable extension such that K and K' are function fields over the 
same Fq. Let gx be the genus of K. Let Nk be the number of degree- 1 places 
of K (the number of Fq-rational points on the corresponding curve) . A tower of 
function fields over Fq is a sequence of extensions of such function fields 



Ko C Ki C K2 C . . . 



such that gi := gxi ^ 00 as i ^ 00 . Define Ni = Nxi, and di = [Ki : Kf\. 
Since Ni/di is decreasing while {gi — l)/di is increasing (Hurwitz), \m\Ni/di and 
\migi/di exist. (The latter can be 00 .) 

The Weil bound Nk < <7 + 1 + 2gK-/q implies 



YiTCiNi/gi < 2ytq. 



This was improved by Drinfeld and Vladut [4] (following Ihara [19]) to 



limNi/gi < y^-1. 
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Ihara also showed that, for any square q, there are towers of Shimura curves with 
lim Ni/gi = ^/q— 1 [15-19]. Subsequent authors have given further constructions 
of ‘asymptotically good’ towers, i.e., towers with lim Ni/gi > 0 [1-3,5-14,20- 
31,33-36]. 

Every known asymptotically good tower has two special properties: there is 
some place of some Ki which splits completely in the tower, and there are only 
finitely many places of Kq which ramify in the tower. (We say that a place of Ki 
splits completely in the tower if it splits completely in Kj/Ki for every j > i. We 
say that a place of Kq ramifies in the tower if there exists i such that it ramifies 
in Ki/Ko.) But it is difficult to study asymptotically good towers directly since 
one must control both the genus and the number of rational places. With this 
as motivation, Stichtenoth posed the following two questions in his talk at Fq7 
(the Seventh International Conference on Finite Fields and Their Applications): 

Question 1. If YimNi/di > 0, must some Ki have a place that splits completely 
in the tower? 

Question 2. If lim gi/di < oo, must only finitely many places of Kq ramify in 
the tower? 

Our Theorems 1 and 2 imply negative answers to these two questions. Call 
a tower Kq C Ki C ... of function fields over Fg everywhere ramified if for each 
place P of each Ki, there exists j > i such that P ramifies in Kj/Ki. 

Theorem 1. Given a function field Kq over with a rational place, there 
exists an everywhere ramified tower Kq C ATi C . . . such that lim Ni/di > 0. 

Theorem 2. Given a function field Kq overWq, there exists an everywhere ram- 
ified tower Kq C Ki C . . . such that lim gi/di < oo. 



2 Proof of Theorem 1 

Lemma 1. Let K he a function field over F^. Then there is a nontrivial exten- 
sion K' /K in which all rational places of K split completely. 

Proof. Weak approximation (or Riemann-Roch) gives / G K* having a zero at 
each rational place of K and a simple pole at some other place of K. Adjoin a 
root of — 2 / = / to obtain K' . Then K' / K is totally ramified above the simple 
pole of /, so K' is another function field over F^ and \K' ■. K] = q > 1. 

Lemma 2. Let K he a function field over Fg with Nk > 0, and let P he a place 
of K. For any e > 0, there is an extension L/K such that Nl/Nk > (1 — £)[L : 
K] and P ramifies in L/K. 



Proof. We first reduce to the case where l/Nx < s. Repeated application of 
Lemma 1 yields K' / K such that 1/{[K' : K]Nk) < £ and all rational places of 
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K split completely. Then Nk = [K' : K]Nk- Pick a place P' of K' above P. If 
we could find LjK' satisfying the conditions of the lemma for (if', P'), then 



Nl 

Nk 



Nl Nk 
Nk Nk 



>(1 



e)[L : K'][K' : K] 



{l-e)[L-.K], 



so LjK would work for (if, P). Thus, renaming if' as if, we may assume < 

e. 

Weak approximation gives / S if* having a simple pole at P and zeros at 
all rational places not equal to P. Adjoin a root of t/® — y = / to obtain L. 
Then P ramifies in LjK, but all other rational places of if split completely, so 
Nl > {Nk - l)q. Thus Nl/Nk > q{l - 1 /Nk) > [L : K]{1 - e). 



Proof (Proof of Theorem 1). Fix a sequence of positive numbers Em 0 such 
that rim=i(l ~ ^rri) converges to a positive number. In our proof we will apply 
Lemma 2 infinitely often, using e\ in the first application, £2 in the second 
application, and so on. 

Let Po,Pi, ■ ■ ■ be an enumeration of the places of ifo (of all degrees). Given 
Ki, we construct if^+i in stages so that all places of if^ lying above Pq, - ■ ■ ,Pi 
ramify in ifi+i/if^. Namely, if Qi, ■ ■ ■ ,Qi are all the places of Ki lying above 
Pq, . . . , Pi, we set Ki Q = Ki and then for j = 1, . . . , I in turn, apply Lemma 2 
with the first unused Sm to find Kij / Ki j_i in which some place of Ki j_i above 
Qj ramifies and NK^j/NKij 1 > {l-£m.)[K^J : Kij^i], Finally, set Ki+i = Kij. 

If i? is a place of some Kr, then R lies over some Pj of Kq. By construction, 
for all i > max{j, r}, all places of Ki above R ramify in Ki+i/Ki. Thus R is 
ramified in Ki^i/K^.. 

The inequality in Lemma 2 guarantees that the value of N/d for Ki^ is 
at least 1 — Em times the value of N/d for Kij-i. Thus Ni/di is at least 

(rim<M(l ~ No/do, if M is the number of applications of Lemma 2 used 

in the construction up to Ki. Since No/do > 0 and 0^=1 ~ converges, 

the decreasing sequence Ni/di is bounded below by 



(1 — Sm) j Nq/ do. 



\m—l 



which is positive. So Ni/di has a positive limit. Finally, A/ — > 00 implies gi 00 . 



Remark 1. A slight modification of the argument shows that, given Kq, we can 
construct an everywhere ramified tower in which Ni/di converges to any pre- 
scribed value less than Nq. This is because weak approximation lets us prescribe 
the ramification and splitting of any finite number of places at each step. 



3 Proof of Theorem 2 



Let p be the characteristic of Fg. 
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Lemma 3. Let K he a function field over Fg of genus > 1, and let P he a place 
of K. Then there exist unramified extensions K' fK of arhitrarily high genus 
such that for some place Q of K' lying over P, the residue field extension for 
Q/P is trivial. 

Proof. Let C be the smooth, projective, geometrically integral curve with func- 
tion field K. Let J be the Jacobian of C. There exists a degree-1 divisor D on 
C [32, V.l.llj. Use D to identify C with a closed subvariety of J. 

The place P corresponds to a Galois conjugacy class of points in C(F^/), 
where F^/ is the residue field. Choose Pq in this conjugacy class. Choose n G 
Z>o such that n = 1 (mod p • #J(F^/)). Then the multiplication-by-n map 
[n]: J ^ J is etale, and maps Pq to itself. Let C = [n]~^C, so C" is an etale 
cover of C. Then C corresponds to a function field K' that is unramified over 
K. Also Po G C"(Fq/) represents a place Q of K' lying over P, having the same 
residue field as P. By choosing n large, we can make gK ns large as desired, by 
the Hurwitz formula. 

Lemma 4. Let K he a function field over F,j of genus > 1, let P he a place of 
K, and let e > 0. Then there exists an extension L/K with {g^ — \)/{gK ~ 1) < 
(1 + e)[L : K] such that P ramifies in LfK. 

Proof. Let / be the degree of P over Fg. For an unramified extension K' /K, we 
have {gK — 1)/(<7at ~ 1) = [K' '. K] by Hurwitz. By applying Lemma 3, we may 
replace (AT, P) by some (AT', Q) in order to assume that gK is arbitrarily large, 
without changing /. 

When gK is sufficiently large, an easy estimate (e.g. cf. [32, V.2.10]) based 
on the Weil bounds implies there exist places Q, Q' of AT of degrees d,d + f 
respectively, where d is the smallest integer > yfi/K and not equal to /. Choose 
a prime £ \ p • ffG, where G is the group of degree-zero divisor classes of AT. 
Then every element of G, and in particular [Q' — Q — P], is divisible by £. 
Thus, there exists a divisor D of degree 0 and an element ft, of AT such that 
(ft) = Q' — Q — P — £D. Let L = AT(ft^/^), so [A : AT] = £. Hurwitz gives 

2gL — 2 = £{2gK — 2) + {£ — l)(((i + f) + d + f), 

so 

9L - 1 ^ £- 1 / d+ f \ 

[L:K]{gK-l) ^ £ \gK-l) 

1 /o 

The 0{gj^ ) term will be < e if gK is sufficiently large 

Proof (Proof of Theorem 2). Given AIq, let Ki/Kq be an extension with gi > 1. 
Just as Lemma 2 let us prove Theorem 1, Lemma 4 now lets us construct an 
everywhere ramified tower ATi C K 2 C . . . such that at the step the value of 

{gi — l)/di increases by a factor at most 1 +Si for a prescribed > 0. By choosing 

Si so that n(i+ £i) converges, we obtain such a tower with lim(pi — l)/di < 00 . 
Since di ^ 00 , this limit equals lim. gi/di. 



l + 0{g-^/^). 
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4 Question 

Can one combine Theorems 1 and 2? In particular, does there exist an everywhere 
ramified tower in which both lim Ni/di > 0 and lim gi /di < oo? 
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Abstract. The explicit construction of towers with many rational places 
plays a key role for the construction of asymptotically good algebraic 
geometric codes. One way of explicitly constructing towers is given by 
defining them recursively via a single equation. In this paper we discuss 
conditions on the defining equation to give towers with many rational 
places and introduce a new family of such towers. 



1 Introduction 



Throughout the whole paper, let f{x, y) be an absolutely irreducible polynomial 
over Fg with deg^ f =: m > 1. We call a field T := Ufc>oTfe recursively defined 
by f{x,y) if Fg := Fg(a;o) is the rational function field and Fk := Fk-i{xk) 
where f{xk-i,Xk) = 0. If Fk-i yf Fk and F^ is the exact constant field for all 
k > 0, and g{Fk) > 1 for some fc > 0, we call T a tower. In the first part of the 
paper, we are interested in conditions on f(x,y) to define recursively a tower. 

A tower T is called asymptotically good if 



A(T) := lim 

k—^oc) 



N{Fk) 

g{Fk) 



> 0 , 



where N{Fk) denotes the number of F^-rational places of Fk and g{Fk) denotes 
the genus of Fk. The value A(T) is called the limit of T. The construction of 
asymptotically good towers is of general interest, and in particular it is motivated 
from coding theory (cf. e.g. [7], [2]). In this paper we are only considering towers 
with Fk+i/Fk tame. Thus all extensions considered are tame. In the second 
section we prove some facts about a family of recursively defined towers given 
by an equation of the type 



y"* = a{x + 6)™ + c with a,b,c£ F* and (m, q) = 1. 

Among these so-called Fermat towers, there are some asymptotically good ones 
(cf. e.g. [3]). 

In the third section we discuss a (finite) family of new asymptotically good 
towers with the property that all Fk are unramified over F 2 for A: > 2. In general, 
we call relatively unramified the towers that are unramified above some field Fi. 
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2 On the Construction of Towers 

Let F := Wq{x,y) be an algebraic function field with f{x,y) = 0. For elements 
:= Fg U {oo} we write ly ^ fi if there is a place Q C F with x{Q) = v 
and y(ff) = y. We define the sets 

M := |a G P^|P G Fgr_j(a;) with x{P) = a is ramified in 
F/Wq{x) of index m} 

and 

:= |a G F^IQ G with y{Q) = a has at least one 

place above in F, which is ramified of index e (^) 

with gcd(e,m) > 1} . 

For fj, G K U {oo} {K = Wg or K = Pg), we define to be the place P of 
K{xq) with xo(P^) = y- By Op^ we denote the valuation ring of a place P^. 

Theorem 1. Suppose there exists a sequence (/ii)i>o in P^\A^ with /xq G M\N , 
such that f{x, y) is integral over Op^. and yi+i ^ pii for all i > 0. Then, f{x, y) 
defines recursively a tower T . 

Proof. Let Pg be an algebraic closure of Pg. First we consider the field T recur- 
sively defined over Pg (i.e. Pq = Pg(a;o)). Inductively we prove the claim that 
for each field Pfc, there is at least one place which is ramified in Pfc+i of index 
m. Then, it follows from the degree formula that [Pfe+i : Pfc] = m. 

The claim is true for Pq, because the place P G Pfq with xq{P) = /xq is 
totally ramified in Pi. Now, suppose the claim is true for 0 < i < k. Since 
/ii+i ^ qii for all 0 < X < A: and the polynomial f{xo,xi) is integral over Op^., 
it follows from the theorem of Kummer (cf. [6, III.3.7]), that there exists a place 
P G Pf^ with Xi{P) = fik-i for 0 < i < k. As Xi{P) := yu-i ^ N and the 
tower is recursively defined, the place PH Pg(xx) is unramified or ramified with 
index e satisfying gcd{m,e) = 1 in Pg(a;i_i, Thus, repeated application of 
Abhyankar’s lemma (cf. [6, III. 8. 9]) yields that P is unramified or ramified with 
index e satisfying gcd{e,m) = 1 over P n Pg(a;fc). Since Xk{P) = /xq G M, the 
place PnPg(a:fe) is ramified in Pg(a:fe, a;fe+i) of index to. Again by Abhyankar’s 
lemma, there exists a place P' of Fk{xk+i), which is ramified of index to over P 
(cf. Figure 1). 

Now, let Pq = Pg(a;o). Then, Pg is the exact constant field for all Pfc, as there 
is a place of Pfc which is totally ramified in Pfc+i but constant field extensions 
are unramified. 

The theorem above relies essentially on the existence of a totally ramified 
place in each step of the recursive construction. Obviously, its proof does not 
work for recursively defined towers which are unramified after a few steps. In 
the situation of such relatively unramified towers, we can prove a result for the 
construction of towers by guaranteeing the existence of an inert place in each 
step. 
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Fig. 1. Ramification index of a place P € 



Theorem 2. Let F = Fg(a:o,a;i) be a function field with defining equation 
f{x(j,xi) = 0. Suppose there is an TFq-rational place P G P]p_j(a;Q) with the 
following properties: 

(*) P is completely splitting in F, and there is a place P'\P,P' G Pf; with 
Xi(P') = xo{P). 

(**) For some n > 1, there is a finite sequence (/ii)o<i<n with /i„ = xq{P), such 
that yii+i ^ Hi, the place P^g := Q of Fq has only one totally inert extension 
in F, and the places P^^ of Fg are completely splitting for 1 < i < n in F. 

Then, f{x,y) defines recursively a tower T = Ufe>oPfc, where the field extensions 
Fk+i/Fk satisfy: 

1. [Fk+i : Fk] = m. 

2. Pq is the exact constant field ofF^+i- 

3. Pfc+i has an Wq-rational place Qfc+i with Xk+i{Qk+i) = xq{Q) = ho- 

Proof. We prove the theorem by induction on k. For /c = 0 all the claims above 
follow from the assumptions. 

Let the claims be true for k — 1. By induction it follows from (3), that 
there exists an P^-rational place Qk G Pf^ with Xk{Qk) = xo{Q). We define 
R ■= Qk n Pg(a:fe). Then it follows from assumption (**), that there is only one 
place R' over R in Wq{xk,Xk+i), which is inert of index f{R'\R) = m. Now, 
choose a place Q above Qk in Fk{xk+i). The place Q lies above R', because 
i?' is the only extension of R in W q{xk,Xk+i)- Thus, we have degQ > m and 
[Pfc+i : ^fc] = TO by the degree formula. 
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Since = xq{P) and xq{P) ^ xq{P), by assumption (*), we can extend 
the sequence {ni)o<i<n by elements jin+i = xq{P), fJn +2 = xo{P),... and the 
sequence keeps the property fik+i ^ Mfc- We choose the first k + 2 elements 
of the possibly extended sequence. Since [Fj+i : Fj] = m for all 0 < j < /c 
and the places P^^ are completely splitting by assumption (**), we obtain by 
repeated application of [6, III.8.4] a place Qfc+i with Xi{Qk+i) = Hk+i-i for 
z = 0, . . . , A: + 1. In particular, we have Xk+i{Qk+i) = xq{Q). 

The second claim is a consequence of the fact, that the Fg-rational places 
for z > 0 are totally splitting and [Pfe+i : Pfc] = to. 

3 On Fermat Towers 

In this section we consider tame towers of the following type. 

Definition 1. A tower T recursively defined by equation 

y™ = a{x + 6)™ + c with a,b,c G and gcd(z7z, y) = 1 (3) 

is said to be a tower of Fermat type or a Fermat tower. 

The discussion of these towers is motivated from the fact, that some among 
them are asymptotically good (cf. e.g. [3]). For some parameters it is only known 
that the corresponding equation yields an asymptotically good tower, provided 
the equation defines recursively a tower in the first place. 

Theorem 3. Equation (3) defines recursively a tower F, if and only if a,b,c G 
F*. 

Proof. First, we consider the case a,b,c G F*. We want to apply Theorem 1. 
Let F := Fg(x,y) be defined by Equation (3). Then, F/Fg(x) is a Kummer 
extension. Exactly the zeroes Pq, of a; — a with a(a + b)™ + c = 0 are ramified, 
each of index to. Thus, with the notation from section 1, we have M := {a G 
Fq|a(a + 6)™ + c = 0}. The extension F/Wg{y) is a Kummer extension, too. 
Exactly the zeroes Qfs of y — /3, where /3™ — c = 0, are ramified, each of index 
TO. Thus, we obtain N := {fi G Fgl/?™ = c}. 

Next, we want to prove the following claim. 

Claim. For each d G F^ with dfi^c, there is a /z G F, with 

a(y + 6)™ + c = d and /z™ yf c. 

Once we have proved the claim, we can choose elements (yi)i>o with /zq G M\N, 
+ 6)™ + c = /z™ and yf c. Equation (3) is integral over all places P 
which are different from the pole of the function x. Thus, Equation (3) defines 
recursively a tower by Theorem 1. 

Proof of the claim. The two polynomials 

q,{T) := {T + br + a-\c-d) G FJP] 




158 Jorg Wulftange 



and 

•f(T) :=T™-ce FJT] 
are monic and separable (as c ^ 0 and d). Since 

and 5 ^ 0, we have ip{T) K^{T). As deg(^(T) = deg<f'(T), there exists a ^ G F, 
with tp(/i) = 0 and F(/r) ^ 0. This proves the claim. 

Now, let ahc = 0. If a = 0 or c = 0, it is obvious that Equation (3) does not 
define recursively a tower. Thus, assume the equation 

y™ = ax™ + c with a, c G F^ and (m, y) = 1 

defines recursively a tower T := Ufc>oEfe over F^. Then, [Fk : Fk-i] > 1 for all 
fc > 0. We have Fk = Fk-i{xk), where 

:= a'^x^ + (1 + a + a^ + . . . + a'=-^)c. 

Thus, [Fk : Fk-i] = 1 for k = char Fg, if a = 1, and for k = ord{a), if a yf 1. 
Now, we have the following corollary. 

Corollary 1. Let I be a power of a prime and let q = F with r > 2. Then the 
equation 

y(9-i)/(*-i) _ _|_ 5^(9-i)/(i-i) _l_ witha,c€Wi ond 6 G F*, (4) 

defines an asymptotically good Fermat tower T over Fg, and its limit satisfies 



Proof. By Theorem 3, Equation (4) defines recursively a tower. Now the corollary 
follows from [3, Proposition 3.6]. 

Remark: 

1. If ab"^ + c= 0,m = (g —!)/(/— I), it has already been known, that Equation 
(4) defines a tower. If q = P it has already been proved by Thomas and 
Ozbudak (cf. [5]). 

2. In the case a6™ + c = 0,m = (q — l)/(l — I), it can be proved that A(F) = 
2/(q-2) (cf. [8]). 

Only for few choices of the parameters a, b, c and m it has been proved that 
Fermat equations define recursively asymptotically good towers. For most choices 
of the parameters it is not known, whether the resulting towers are asymptot- 
ically good or not (over appropriately chosen constant fields). For towers with 
ab™+c = 0 the ramification locus is infinite in many cases. Here, the ramification 
locus Vfq of a tower T over Fq is defined as usual: 

Vpalff) '■= {P G FiT'gj There is an i G IN such that P ramifies in Fi/Fo}. 
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In order to prove this result we need the following polynomial identity, which 
was first found by Lenstra (cf. [4]). Since we need a slightly different form, we 
give the proof as well. 

Lemma 1. Let T he a recursively defined tower with defining equation 

y'^ = g{x) € IFqia;] where degg(a:) = m and gcd{m,q) = 1. 

Moreover, let g{x) = x’^giix) with 51 (0) yf 0 and gcd(d, m) = 1. Suppose the 
tower T has finite ramification locus Vfo(T). We define T := {a™\Pa G Vfo(1^)} 
and t := |T|. 

Then we have 

mx™~^ n - a) = a*~^g'(x) (x™ - a), (5) 

aeT aeT 

where a is the leading coefficient of g{x) and g'{x) is the formal derivative of 

g{x)- 

Proof. We define Vq := {^o} and Vk+i '■= {Pa G IP S', (^o) I There is a P/3 G 
Vk with f{a) = /3™}. First, we prove YpofiT) = Ufe>oVfc. The inclusion Vfq(T) C 
Ufe>oVfe follows from the recursive definition of T. In order to prove the reverse 
inclusion, we use induction on fc. Vq C (T) follows from Kummer theory, as 
gcd(d, to) = 1. Now, suppose Uo<i<feVfc C Vp^(T). Let Pa G 14+1. By definition 
of Vfe+i, there is a /3 G F,j, with = g{a) and P/3 G Vk- It follows from the 
theorem of Kummer (cf. [6, III. 3. 7]), that there is a place R of Pi, which lies 
above Pa and the zero P of xi — /3 in Fq(a:i). Due to the induction hypothesis, 
there is a place Q G F+, with e{Q\Pfs) > 1 for some j G IN. Since T is recursively 
defined, there is a place Q in Fg(a;i, 0:2 , . . . , Xj+\) over the zero P oi x\ — j3 m. 
Fq(a:i) with e{Q\P) > 1. Since gcd(d, to) = 1, the place Q is totally ramified in 
Fq(a:i, . . . , xi)/Wq{x \, . . . , xj) for all I > j. In particular, there exists an ^ G IN, 
such that e(Q/|P)/e(P|P). Again from the theorem of Kummer, there exists 
a place S G F+, with S\R and S\Qk- From Abhyankar’s lemma, we obtain 
e(S'|P) > 1. Thus, e{S\Pf}) > 1. 

Next, we show that the left hand side of Equation (5) divides the right hand 
side. Let /3 G F^ be a zero of the left hand side. If /9 = 0, /3 is a zero of the right 
hand side of multiplicity at least to, because Pq G Vfo{T). If /3 yf 0, there is a 
P-y G YpofiP) with 7™ = g{fi). Thus, P/3 G YpofiP) due to the first part of the 
proof, and /3 is a zero of the right hand side. The multiplicity of [3 in g{x) — a is 
exceeding the multiplicity of the zero f3 in g'{x) at most by one. 

Comparison of the degrees and the leading coefficients in Equation (5) proves 
the lemma. 

Theorem 4. Let P he a Fermat tower in characteristic p recursively defined hy 

y'^ = a{x + 6)*” + c with to > 2 and ab^ + c = 0. 

If the ramification locus Vf„(P) is finite, we have (t — l)m = — 1 (mod p), 
where t := |{a'"|P„ G Vfo(F)}|. 
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Proof. Due to lemma 1 we have 

n + br + c-a) = a\x + 6)™-^ (x™ - a). 

aeT aeT 

W.l.o.g. we can assume 5=1 carrying out the transformation Xi = b~^Xi. 
Therefore, we obtain 

(a; + 1) ric5^aeT((a; + 1)™ + ~ «) 

+ rnx""~^ + + . . . + mx + 1 + 

ric#aeT(a^“ + ™ ) x’^-^ + ... + mx+l + 

= + (Eo^aer -«) + . . . + (-l)‘-i EIo^^aeT «a;. 

Comparing the coefficients (at the exponent {t — l)m) yields 

ft — l)m = —1 (mod p) 

(as (t — 2)m + 1 < (t — l)m ). 



4 On Relatively Unramified Towers 



Let <7 7^ 2, 3 be a prime power and m = q — 1. Moreover, let 



r Fqm if g = 0 (mod 4) or g = 3 (mod 4) 
(F q2m if g = 1 (mod 4) . 



We discuss recursively defined towers T = Ui>oU over K with defining 
equation 



y™ = i- 



(6) 



{x - !)"*■ 

Remark: In case g = 2, 3 one easily sees that Equation (6) does not define 
recursively a tower. 

First, we want to use Theorem 2 in order to prove that Equation (6) defines 
recursively towers over specific constant fields. 



Proposition 1. The equation 



x^ 

{x + 1)3 



(7) 



defines recursively a tower T := Ui>oU over F43. 

Proof. Let a be a fixed primitive element of F4. Let P be a zero of Xq + a;o + 1 in 
Fq. Then P splits completely in the extension Fi/Fg and we denote by P',Qi and 
Q 2 the places of Fi above P. They satisfy: xi{P') = xq{P), xi{Qi) = axo{P) 
and xi(Q 2 ) = a^xo{P). Setting pi = xq{P) and /io = a^xo{P) we have pi ^ po 
and, moreover, that po is a root of Xq + axo + 1 = 0. One checks that the place 
P^g of Fq is totally inert in Pi and now the proposition follows from Theorem 
2 . 
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Remark: Equation (7) coincides with an equation for a Shimura tower given 
by Elkies (cf. [1, eq. 49,50]). 

Using Theorem 2 we can prove for small prime powers, that Equation (6) 
defines towers. The results are listed in the tables below. The left column gives 
the size q of the constant field Fg. The zeroes of the polynomial in the second 
column are totally inert and can be used as places from condition (**) in 
Theorem 2. The third column gives the length (n + 1) of a shortest sequence 
il^k)o<k<n between a place from condition (*) and a zero from the second column. 
In all the discussed examples. Theorem 2 guarantees that Equation (6) defines 
recursively a tower. 



q 


inert zeroes 


length of the seq. (/ife) 


5 


x^ + Ax + 2 


2 


7 


-1- 2x^^ -1- -I- bx^ + x‘ + 2x'° 

+2x^ -1- -1- 3a;^ -I- 2x^ -I- 6 


3 


11 


a: ^ -I- 5 a; -I- 1 


2 


13 


x'^''* + 2x'^''^ + 2x^^ + Ax^'^ + 2x^*^ 
+Ax^^ + Ax^^ + 5a;^^ -I- lOa:^^ -I- lOa;^^ 
-|-6a;^° -1- 7a;® -I- 8a;® -I- 9a;^ -I- 5a;® -I- 2a;® 
Flx'^ + 10a;® + %x^ + lx+ll 


3 



q 


inert zeroes 


length of the seq. (^fc) 


A 


a:® -1- a;^ -1- a;^ -1- a; -1- 1 


2 


8 


a:® -1- a; -1- a;^ -1- a; -1- 1 


2 


16 


a;^® -1- a;®*” -1- a:®® -I- a;®^ -I- a;®® -I- a;®® 
-l-a:® -1- a;® -1- a:^ -1- a;® -1- 1 


2 


32 


a;®® + x^ +x^^ + x^ + l 


2 


64 


a:®^ -1- a;®® -I- a:®® -I- a;^® -I- a^® -I- a®® 
-l-a®’^ -1- a®® -1- a®® -I- a®® -I- a® -I- a® 
-l-a® -1- a"® -1- a® -1- a -1- 1 


2 


128 


a®® -1- a® -1- a^ -1- a -1- 1 


2 


256 


a®^® -1- a®® -1- a®® -I- a®® -I- a®® -I- a®® 
-l-a®® -1- a® -1- a® -1- a^ -1- 1 


2 



In the following, we suppose that Equation (6) defines recursively a tower 

T = Ufc>oPfe- 

Next, we want to show, that the towers defined by Equation (6) are unram- 
ified after a few steps. 

Lemma 2. Let F := K{x,y) he defined by Equation (6). 

1. Over K{x) exactly the zeroes of x — a, a G F* \ {!}, and the pole of x are 
ramified in F, each of index m. 

2. Over K{y) exactly the zeroes of y — a, a G F*, are ramified in F, each of 
index m. 




162 Jorg Wulftange 



Proof. The extensions F/K{x) and F/K{y) are Kummer extensions. Thus, the 
claims follow from (note that m = q — 1) 

+ . . . + a: + 1 / x 

V = = 1 — 

(x — 1)™ \a: — 1 

Proposition 2. Let T be defined recursively by Equation (6). 

1. T is unramified over F 2 , i.e. Fn/F 2 is unramified for all n> 2. 

2. In F 2 /F 1 exactly the places of Fi over the place Pi satisfying xo(Pi) = 1 are 
ramified, each of index m. 

Proof. First, we prove (2). Let Q G P^i be a place which is ramified in F 2 . 
Then, P := Q n K{xi) ramifies in K{xi,X 2 ). Assume xi{P) = a G F* \ {!}. 
Then, P ramifies in F\ of index m, and due to Abhyankar’s lemma the place Q 
is unramified in F 2 . Thus, P is a pole of x\. Then, again by Abhyankar’s lemma, 
the place Q is ramified in P 2 /P 1 of index m. The poles of x\ in Pi are exactly 
the places over the zero of xq — 1- 

Assume there is a place Q € F ^2 which is ramified in T. Then, Q has an 
extension P G Ffj for some j >2, such that R ramifies in Pi+i- Analogous to 
the first part of the proof, we see that P is a pole of Xj. Then, Xj-\{R) = 1 
and by Abhyankar’s lemma the place P is unramified in Pj+i (since j > 2), a 
contradiction (cf. Figure 2). 





Xj -2 Xj-i = 1 Xj = 00 Xj+i = 0 

Fig. 2. Ramification of a place P G Ffj 



Corollary 2. The genus 0 /P 2 defined by Equation (6) is equal to 



9{F2) 



(to — 2)(to — 1)(to + 1) 



2 
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Proof. The claim follows from the Hurwitz genus formula. 

A tower T = Uk>oFk is called completely splitting, if there is an algebraic 
function field F cT, such that at least one place of F is completely splitting in 
all FkDF (cf. [3]). 

Proposition 3. The tower T defined by Equation (6) is completely splitting 
over K. More precisely: Let Q be a place in F2 over an Wq-rational place of Fg. 
Then, the place Q is completely splitting in T/F 2 . 

Proof. First, we will investigate the places over Pa G Pfq in ^3 (« G FqUjoo}). 
In order to do so, we distinguish the possible cases and suppose that 2 J(q: 

1. Let a G F* \ {l}ora = oo. There is exactly one totally ramified F^-rational 
place P' in Fi over Pa with a:i(P') = 0. The place P' splits completely in 
F2 into different F^-rational places Q in F2 with X2{Q) G F* (due to the 
theorem of Kummer, cf. [ 6 , III.3.7]). Since F3/F2 is Galois, each of the places 
Q splits in F 3 into F^m -rational places (cf. Proposition 2 and the degree 
formula) . 

2. Let 0 = 1 . We are substituting 2 := a;i(a:o — 1). Then we have Fi = Fo{z) 
and 



+ . . . + xo + 1 = -1 (mod P'). 

It follows, that Pa splits into Fg 2 -rational places P' in Pi, all of them having 
xi as a simple pole. Over each place P' there is exactly one totally ramified 
place Q in P 2 (cf. Proposition 2). Each of these places Q splits into F,^ 2 - 
rational places in P 3 (due to the theorem of Kummer) . 

3. Now, let a = 0. The place Pa splits into F^-rational places P' in Pi with 
xi(P') = /3 G F* and vp {x\ — (3) = m. First, we consider the case /3 yf 1. 
Then, the place P' splits in P 2 into F^m-rational places (with X2{Q) = 0), 
which splits into F^m -rational places in P 3 . Now, we consider the case /? = 1. 
The place P' splits into F ^2 -rational places in P 2 . Since P 3 / P 2 is Galois, these 
places split into Fg 2 m -rational places Q' in P 3 . Because of the definition of 
K we have to prove, that the places Q' are F^m -rational, if g = 3 (mod 4). 
To this end, let Q' G Ffs with xo{Q') = D,xi{Q') = 1,X2{Q') = 00 and 
xs(Q') = 0. We use the notation z = x + O(nQ'), if vq {z — x) > n holds. 
Let a G Fg 2 < F^m with a™ = — 1. Then, we have 

xf^ = l + where t = 

xo-l 

thus a: 1 = l — t’^+t‘^"^ + 0{3mQ') and (a;i — 1)“^ = —t~'^{l+t™ +0{2mQ')). 
As 

((xi - 1)X2)™ = {-r + + 0{3mQ')r -l-t^, 

we have moreover 

(Xi - 1)X2 



a 



1 _ OiZmQ') 
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(as g 7 ^ 3). We obtain 



X2 



a-at'^ + at^'^ + OjimQ') 

{xi - 1 ) 



= -at~'^ + 0{{-m+l)Q'), 



and {x 2 — 1) ^ = —a + 0{{m + 1)Q')- Now, 



X 



m 

3 



(ai2-l+l)^ ^ + (ai2-l+l)”^ ^+0(-m(m+3)Q ) 
(a=2-l)^ 

17^ - + C>(3toQ')- 



This gives 




0{Q'). 



—a ^ is an m-th power in IF^m, if and only if a is an m-th power in IF^m. 
We have a'^ = —a and a'^ = a, which means a® = (— l)*a. Now, a is an 
TO-th power in F^m, if there is a /3 € F^m with Z?™ = a. As (— 1)(— 1)~ = 

gTn ^ 

a <1 1 = /3^ we obtain that /? is in F^m if and only if g = 3 (mod 4). 



The case 2|g is analogous; since 1 = — 1 (mod 2) all the places are com- 
pletely splitting over F^m . 

Now, let fc > 3 and Q'\Pa be a AT-rational place in F^. Then, we have 
Xk- 2 {Q') G Fg U {oo}, and the place Q' n K{xk- 2 ,Xk-i,Xk) is completely 
splitting (over K) in K{xk- 2 , Xk-i, Xk,Xk+i), which follows from the discussion 
above. Due to [6, III.8.4] the place Q' is completely splitting in Fk+i- 



Corollary 3. In the tower T jK there are at least 2m^ + m places of F 2 com- 
pletely splitting in Fk/F 2 for all k >2. 



Theorem 5. Let T he a relatively unramified recursively defined tower over F^. 
Let F <T he a function field, such that T / F is unramified. Then we have: 



A(T)> 



t 

9(F)- V 



where t is the number of places of F which are completely splitting. 



Proof. The claim follows directly from the Hurwitz genus formula and the defi- 
nition of A(T) (cf. [3, Theorem 2.24]). 



Theorem 6. Suppose that Equation (6) defines recursively a tower T over the 
finite field K. Then its limit satisfies: 



A(T)> 



4m -I- 2 
m^ — 2m — 1 



Proof. The claim follows from Theorem 5, from Corollary 3 and Corollary 2. 
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Abstract. Let C be the primitive ternary BCH code of length 3™^ — 1 
with designed distance <5. It is shown that, when 5 = 8, then the covering 
radius of C is 7 whenever m > 20 and m is even, and when 5 = 14, then 
the covering radius of C is 13 whenever m > 46. The technique involves 
Galois-theoretic criteria on the splitting of polynomials over finite fields. 



1 The Problem 

Let q = S’” and C = C{m,S) be the primitive ternary (narrow sense) BCH code 
of length q— 1 with designed distance 6. We consider here only the case S = St— 1. 
For this it has been shown by Kaipainen ([9], Theorem S.0.1) that the covering 
radius p of C is at most S whenever q > qg, where qo depends only on S. On the 
other hand it follows from the “Supercode Lemma” (cf. [2]) that p > 5 — 1 for 
sufficiently large q. 

In this paper we identify two situations where p attains this lower bound for 
an infinite range of q exceeding an explicit value. 

Theorem 1. 

(i) Suppose 6 = 8. Then the covering radius ofC is 7 whenever m > 20 and 
m is even. 

(ii) Suppose 6 = 14. Then the covering radius of C is IS whenever m > 46. 

To prove this it is necessary to modify significantly a method that was originally 
used by the second author in [4] to establish the corresponding results about the 
covering radius of binary primitive BCH codes. 

We remark that with the given small values of t it is convenient to settle 
certain problems by explicit calculations, e.g. with Maple. We have in hand, 
however, a study of the whole problem for designed distance 6 = 3t — 1 and 
6 = 3t for general t that avoids the use of a computer. 

2 Algebraic Formulation 

The first step of the method is the transformation of the coding theoretical 
problem into one of the splitting of a certain polynomial over F^. This part is 
analogous to the procedure in the binary case [4]. We describe it rather briefly. 
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We start from an idea that goes back to Helleseth [8] : to prove p < 5 — 1 = 
3t — 2 it suffices to show that for any choice of Ofc G Fg (1 < fc < 3t — 2, S-ffc) 
the system of equations 

£lXi + £2X2 + . . . + e^t- 2 X 3 t -2 = 0,1 

Sixf + £2 x| + . . . + S3t-2X§t_2 = 02 

: : : : ( 1 ) 

£ixf + e2xl*-^ + . . . + e3t-2xllZ2 = ast-2 

has a solution (£i, . . . ,£3t_2), (xi, . . .,X 3 t- 2 ) G 

To fill the “gaps” for 3|fc in the system we add redundant equations of the 
same form with 03^ := Oj (j = 1> • • ■ > ^ ~ Although there is freedom in the 
choice of the £j, in view of subsequent manipulations we fix £^ := 1 for all 
i = 1, . . . , 3t — 2. Then, by replacing all Xi with Xi — ai, it can be assumed that 
oi = 0. Writing ak '■= x^ + h X 3 ^_ 2 , we may abbreviate the system (1) to 



o-fe = Ofc (fc = 1, . . . , 3t - 2), oi = 0. 



( 2 ) 



Now let a fixed system (2) be given. Let denote the /c-th elementary 
symmetric polynomial in xi, . . . ,X 3 t- 2 , so := oq := 1. Newton’s identities 
imply that a solution to (2) satisfies 

. k— 1 

Sfc = - Ofc-i Si , 1 < fc < 3t - 2, 3|A: , (3) 

with Sfe = Sk(xi, . . . ,X 3 t- 2 )- Conversely it is evident that if we start from ar- 
bitrary elements S 3 , 831-3 G F^ and use (3) and Si := Oi = 0 to define 
si, S2, S4, . . . , S3t-2 G Fq recursively, then the roots of the polynomial 

3t-2 

fix) := eFJx] 

i=0 

in the algebraic closure Fg of Fg form a solution to (2). Hence it suffices if for 
any choice of Ofc G F^ (3 | fc), Oi = 0, we manage to find S3, , 831-3 G F^ such 
that f{x) splits completely over F^. 

We re-write f{x) expressing the s^ for which 3 | k in terms of the s^ for which 
3|A:. Set Aq := 1 and define recursively for /c = 1, . . . , 3t — 2, 

0, if3|fc, 

. k— 1 

- ^(-l)'=-'-iafe_iAi, if3|A:. 

^ /=o 



Ak '■= 
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(This transition from oi, . . . , ast -2 to Aq, . . . , ^34-2 is reversible; we can there- 
fore assume that (2) is given in the latter form. Also note that Ai = 0.) Then, 
from (3), 

Lfe/3J 

Sfe = ^ Ak-Sfi for all 1 < fc < 3t - 2 . 

/i— 0 

Substituting this into f{x) and rearranging terms, we finally arrive at 

fix) = + x^g[%_,ix^) + , (4) 

where := 0, and, for d = 0 , . . . , t — 2, 

i^O 

i=0 

are polynomials of degree at most 3d. 

The task is now to show for t = 3,5 that for any choice of G (1 < 
k < 3t — 2, 3 ] k) , Ai = 0, we can find S3 , ... , 534-3 G Fg such that (4) splits 
completely over F^. Note that we can assume at least one of the Ak is non-zero 
(otherwise choose S3 , ... , 534-3 = 0). For notational convenience we replace the 
S3fe for odd k and the A 3 k±i for even k with their negatives; thus (4) simplifies 
to 

f(^) = ®3fc a;3*-2-3fc x‘^g[%_^{x^) + gfH,,_^ix^) (5) 

where the explicit forms of the relevant polynomials g^^\ g^^^ are: 

go°\^^) = ^4, 
g^°\x^) = A4^3 -I- Ar , 

92 ^(3:^) = A4X® -|- A7a;3 -|- Aiq , 

53°^ (a;^) = A4X® -k A7X® -k Aioa;3 -p A13 , 

9o\^^) = ^ 2 , 
g^i\x^) = A2^3 -k As , 

92^\x^) = A2X® -I- Asa;3 -|- As , 

= ^23;® -I- Asx® -I- A83;3 -|- Ah . 

In the next section we state the necessary auxiliary results for our proof of 
Theorem 1, along with some terminology and notation. 
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3 Sufficient Criteria 

Throughout this section let fo,fi & be monic polynomials with n := 

deg fo > deg /i > 2 and fo/fi ^ and let Fu{x) := fo(x) + ufi{x), 

with u an indeterminate. Denote by G the Galois group of over Fq(M) and 
by G the Galois group of over Fg(u) (sometimes called the “geometric” and 
“arithmetic” monodromy group, respectively), viewed as permutation groups on 
the roots of F^- Then always G C G. 

Lemma 1. Suppose G = G. Then there exists an a &¥q such that Fa splits 
completely over F^ provided q > [(n — 2) • n!]^. 

Proof. [5], Lemma 5.1 plus remark on p. 325. 

Let K be a field. A polynomial g € K[a;] will be called simple if all its 
factors over its splitting field have multiplicity 1 except for exactly one which 
has multiplicity 2. 

A rational function g/h with g,h G K[a:] is called (functionally) decompos- 
able over K if there exist rational functions Q = Q\jQi^ R = R 1 /R 2 with 
Qi,Q 2 ,Ri,R 2 G K[a;], gcd((5i,(52) = gcd(i?i,i? 2 ) = 1, such that g{x)/h{x) = 
Q{R{x)) and neither Q nor i? is a linear fraction. If g/h is not decomposable it 
is called indecomposable. 

Suppose g/h is decomposable with decomposition as above. Write uJi := 
deg Qi and pi := deg Ri {i = 1,2). If deg g > deg h, it is always possible to 
arrange that 

^ = c-Q{R{x)) (6) 

h[x) 

with c G K, Qi, Q 2 , Ri, i ?2 monic, coi > 1, pi > 1, oji > u) 2 , pi > P 2 - Unless oth- 
erwise mentioned, assume all decompositions in this paper have been normalised 
in this way. 

Writing out (6), we obtain 

gjx) ^ Rf^jx) ■ Qi{Ri{x) / R 2 {x)) 

h{x) Rf^-‘^^{x)-[Rf\x)-Q 2 {Ri{x)/R 2 {x))] 

where the numerator and the expression in square brackets on the right-hand side 
are polynomials. Suppose g and h are co-prime, then we can equate numerators 
and denominators and conclude 



deg g = ujipi, degh = (wi - ^ 2)^2 + W 2 P 1 ; (8) 

in particular, g/h must then be indecomposable whenever deg g is prime or 
deg h= 1. 

We return to Lemma 1 and give sufficient conditions for G = G. Let An 
denote the symmetric group and alternating group, respectively, of order n. 
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Lemma 2. Suppose Fu satisfies all of the following conditions: 

(i) /o and fi are co-prime, 

(ii) fo/fi is indecomposable over¥q, 

(iii) Ffs is simple for some P G¥q. 

Then G = G = 

Proof. [5], Lemma 3.1. — In combination with (i), (ii) implies that G is a primitive 
group and (iii) that G contains a transposition. This suffices to give G = □ 



If Fp is identically zero (irrespective of the choice of P) then it is impossible 
to establish condition (iii). In characteristic 2 an alternative is to require that 
deg /o — deg /i = 2 and fi be square-free, which again yields a transposition in 
G. Though this remains true in the ternary case, it is not helpful in the situation 
of Sect. 2, because the degrees of the summands of (5) corresponding with the ssk 
decrease in steps of three. Instead we use the following criterion, writing for 
the discriminant of Fy_(x) as a polynomial in x over Fg(w). 

Lemma 3. Suppose Fu satisfies all of the following conditions: 

(i) /o and fi are co-prime, 

(ii) fo/fi is indecomposable overWq, 

(iii) deg fo — deg /i = 3 and fi has no factor of multiplicity divisible by 3, 

(iv) Ax: is either a non-square in Fq(u) ( “situation S”) or a square in ^^(m) 
(“situation A”). 

Then G = G, and this group is equal to Sn (in “situation S”) or An (in “situa- 
tion A”). 

Proof. As before, (i) and (ii) ensure that G is a primitive group. From (iii) 
we obtain a 3-cycle in G (from ramification “at infinity”; see [5], Sect. 4, with 
Cr = er(oo) = 3 at the beginning of the second paragraph on p. 330). Therefore 
An C G. Now (iv) implies that either = G C G C or An G G C G C A„. 

□ 



Our strategy for a proof of Theorem 1 will now be as follows. Express the 
polynomial f{x) as Fu{x) = fo{x) -\- ufi{x), m G F*, where fo or /i depends 
on a parameter u G F^, and then show that v can be chosen in a way that the 
conditions of Lemma 2 or Lemma 3 are satisfied. This is usually achieved by 
showing that the number of v, even in F^, for which one of the conditions is 
NOT satisfied is (much) smaller than q. Then Lemma 1 applies and proves the 
existence of a suitable choice of u for which f{x) splits completely, as well as 
(with n = 3t — 2) the explicit lower bounds for a sufficient size of q stated in 
Theorem 1. 
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4 Designed Distance Eight 

This is equivalent to taking t = 3 , and we have the choice of S3 and sg. Put 
S3 := u and sg := uv with u € F*, v G Fg. Then f(x) = Fu{x) = fo{x) + ufi{x) 
with 

fo{x) = x"^ + A2X^ + 442;^ + A^x^ + 4.7 , 
fi{x) = x"^ + A2 x‘^ + vx + A4 . 

Distinguish four cases as follows. 

(1) A4 and A'j are not both zero, A2 and A4 are not both zero. 

(2) A4 and Ay are not both zero, A2 = A4 = 0. 

( 3 ) A4 = Ar = 0 , A2 yf 0 . 

( 4 ) A4 = Ay = A2 = 0 . 

We show that in all cases v G¥g can be found such that Lemma 3 applies. 

Case ( 1 ). Suppose v is such that /o and fi have a common root 7 G ¥g. By 
assumption 7 yf 0, so fiij) = 0 determines v = —(7'* + ^27^ + 44) /7 G F^ 
uniquely. Since there are at most seven non-zero roots of /g in Fg, there are at 
most seven values v in F^ for which /g and fi are not co-prime. Exclude these 
from further consideration. 

Indecomposability of /0//1 is clear (for all remaining v) because deg /o = 7 
is prime. 

To establish condition (iii) of Lemma 3 we show that with few exceptions fi 
is square- free. Suppose fi has a repeated root 7 in F^. Then 

fiil) = + A2'y‘^ + + A4 = 0 , ( 9 ) 

fiil) = 7^-427 + ^' = 0 . (10) 

Taking ( 9 ) — 7 • ( 10 ), one obtains —^27^ -I- ^4 = 0 , which implies A2 yf 0 . Solving 
for 7 and substituting in (10) we see that there are at most two values of v, 
namely A4I A2 {A2 — A4IA2), for which /i is not square-free and which we 

exclude. 

Finally, Maple was used to compute Ax, a polynomial in u of degree < 5 . If 
4.2 yf 0 then the coefficient of u^, as a polynomial in v, has leading term —A^v^. 
This is non-zero provided we avoid u = 0 , so that in this case Ax is a non-square 
in Fg(u). Otherwise, if ^2 = 0 but 4 g yf 0 , we must have A4 yf 0 ; then the 
coefficient of u® in Ax is A^A^ yf 0 and Ax is again a non-square in Fq(u). Finally, 
if 42 = 4 s = 0 (whence again 44 yf 0 ), then Ax = —A\{A4V + Ay)^u^ — 4 ®, so 
that if we avoid v = —AyjA4, then once more Ax is a non-square in ¥g(u). 

In summary, all four conditions of Lemma 3 hold for all but at most ten 
values V G¥g. 

Case ( 2 ). In this case Ay yf 0 . Choose u = 0 (any other choice of v would lead 
to a root of multiplicity three in /i). Then fo(x) = x'^ + A^x^ + 47, fi(x) = x^ 
and the conditions (i)~(iii) of Lemma 3 are clearly satisfied. 
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By Maple, + A\A^u + A\A^ — A^. If 7I5 7^ 0 then the discrim- 

inant of Ax as a polynomial in u over is A^A^ yf 0, hence A^ is a non-square 
in Fg(u). If 7I5 = 0 then A^ = —A^; this is a square in Fg(u) exactly if —1 is 
a square in F^, i.e. exactly if m is even. (This is where the restriction on m is 
vital.) 

Case (3). Here fo{x) and fi{x) have always a common factor x. Work instead 
with fQ{x) := fo{x)/x = x^ + A2x"^ + A^x and fi(x) := fi{x)/x = x^ + A2X + V. 
(Lemma 1 can be applied to a polynomial of lower degree than /o, and if F* (x) := 
/g(a:) -I- ufi{x) splits then so does Fu{x) = x ■ F*{x). Henceforth we omit the 
asterisks.) 

Obviously one has to avoid u = 0 to make /g and fi co-prime. Apart from 
that we see, adapting the argument from Case (1), that at most five more values 
of u G Fq (given by the non-zero roots of /g) have to be excluded for co-primality. 

Suppose /0//1 is decomposable. From (8), only two types of decomposition 
can occur: {loi,uj 2, Pi, P2) = (2, 1, 3, 0) or (3, 0, 2, 1). In the first case put Q\{x) := 
x"^ + Ax + B, Q2 {x) := X + C, R\{x) := x^ + Dx^ + Ex + F. Comparing 
Q2{Ri{x)) = x^ + Dx^ + Ex + E + C with /i(x) = x^ + A2X + v implies D = 0 
and E = A2 ^ 0. But then from the quadratic coefficients of Qi{Ri{x)) and fo{x) 
we find AD + E'^ — DE = 0, a contradiction. Hence this type of decomposition 
cannot occur. Similarly, in the second case we would have to have fi{x) = R^^x), 
hence A2 = 0, which is also a contradiction. Therefore /0//1 is indecomposable 
(regardless of v). 

As f[{x) = A2 yf 0, /i is square- free for all u G F^. 

Finally, A^ = — A^Ag -|- A2v)^u^ — A®. Avoiding v = — A5/A2 makes A^ a 
non-square in Fq(u), so that again all conditions of Lemma 3 are satisfied for a 
suitable choice of v. 

Case (4). Again choose v = 0 and divide fo(x) and fi(x) by their common 
factor x^. Then fo(x) = x^ + A5 and fi(x) = x^. These obviously satisfy con- 
ditions (i)-(iii) of Lemma 3, and A^ = — A| is a square in Fq(rt) provided m is 
even. This completes the proof of part (i) of Theorem 1. 

5 Designed Distance Fourteen 

Now t = 5, and we have the choice of S3, Sg, Sg and S12. 

We distinguish three cases. If A2, . . . , Aig are not all zero, let j G {1, 2, 3} be 
minimal such that Ag^-i and Ag^+i are not both zero, and put Ag^-i =: C2, 
Agj+i =: Cg. The three cases are 

(I) A2 = . . . = Aio = 0, 

(II) C09P ^ C2gi°\ 

(HI) 

Case (I). Choose S3 := m G F*. (All other 33k are understood to be zero.) 
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If Ai3 yf 0 then fo{x) = + Anx"^ + A13 and /i(a;) = whereas if 

7^13 = 0 (then All ^ 0) we divide out the common factor and work with 
fo{x) = x^^ + Till and fi{x) = x®. In both cases conditions (i)-(iii) of Lemma 3 
are obviously satisfied, /o being each time of prime degree. 

To establish condition (iv), we used Maple to study the discriminants. Con- 
sider first the situation where Ai^ yf 0. If An = 0 then = A\‘^, a square in 
¥q(u). Otherwise, if An is non-zero, the discriminant of A^ as a polynomial in 
u is All All 7^ therefore A^ is a non-square in Fq(rt). Finally, in the situation 
where A 13 = 0 we have A^ = A\i, again a square in Fg(u). Hence in all cases 
Lemma 3 applies. 



Case (II). In this case (only) we use Lemma 2. 

First observe that under the assumption of this case one of the coefficients 
^13, ^10) • • ■ 5 ^3i-i-i = C'o must be non-zero, i.e. yf 0. If Co = 0 = A 13 , fix I 
with j < I < 4 such that A^u^i yf 0 and put w := I. Otherwise, if one of Cq, A13 
is non-zero, put w := 0 (then the choice of I will be irrelevant). 

Now choose Si2-3j := u G F*, Si2-3z := w (ignore this if w = 0) and 
S12 := u e F,. Then /(x) = F„(x) = /o(x) -I- ufi{x) with 

/o(x) = -k x‘^gf\x^) + gf\x^) + 

+ wx®*+^ -I- wx^(/|^\(x®) -I- rc(/J°\(x®) -I- vx , 

/l(x) = x®-^ + i -k C2X^ -k Co , 

where the w-terms in /o(x) are present if and only if Cq = A 13 = 0. 

(i) Co-primality. By construction, one of /o,/i has a non-zero constant term 
{A 31+1 being the constant term of (/;*'°\), hence x is not a common factor of 
/o(x) and /i(x). Argue as in Case (1) of Sect. 4; since deg /i = 3j -I- 1 < 10, 
at most ten values w G F^ have to be excluded to ensure that /o and fi are 
co-prime. 

(ii) Indecomposahility. This follows immediately from deg /o = 13. 

(iii) Simplicity of Fp for a suitable (3 G¥g. We employ three steps. 

STEP 1. We show that for all but a bounded number of v there exists P G ¥g 
such that Fp has a repeated factor. 

Suppose X G Fq is such that Fp is square-free for all /3 G F*. Then the system 
Fu{x) = fo{x)+ufi{x) = 0, . . 

Kix) = m+umx) = 0 

has no solution (u,x) = (/3, 7) G F* x F^. 

Now consider E{x) := /g(x)/i(x) — /o(x)/((x). A root 7 of E{x) such that 
fiil) 7^ 0 would imply a solution to (11) by putting /? := — foil) / fiil) ■ Hence 
every root of E must also be a root of the fixed polynomial f[ . As deg f[ = 3j 
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and E turns out to be of degree 11 or less, this limits the number of possible 
choices for E by 

Since every choice of E admits at most one value of v, this is also the maximal 
number of values v we have to exclude from Fg to guarantee the existence of an 
Ffj with a repeated factor. 



STEP 2. We show that, except for few u, the polynomial Ep has no factor of 
multiplicity greater than two. 

Assume that u G Fg is such that Ef}{x) has a root 7 of multiplicity > 3. 
Observe first that if 7 = 0 then 0 = = v, i.e. by avoiding u = 0 we can 

assume that 7 yf 0 and henceforth divide by 7. Furthermore, 7 satisfies both 

fo{x)fi{x) - fo{x)f[{x) = 0 (12) 



fo(x)fi{x) - fo{x)f”{x) = 0 . (13) 

By evaluating their left-hand sides, (12) becomes 

3.3i-H2^(2)(^3) wx^^+^gl^\{x^) - - wC2X^^+‘^ + Cox^^ - 

- CoxgP (x^) + wCoxg^^\ (x^) - x^^ gf^ (x^) - wx^^g[°\ (x^) + (14) 

+ C2xg^°\x^) + wC2xgl°\(x^) + v(—C2X^ + Co) = 0 
and (13) becomes 

-x^^+^g^^^(x^) - Cogf\x^) - wx^^+^g^^\{x^) - wCogf\{x^) + 

-I- C2X^^ -I- C253°^(x^) -I- ruC'2X^'+^ -I- wC'25|°\(x^) -I- WC 2 = 0 . 



Suppose C2 = 0. Then (15) says that 7 is a root of a polynomial of degree at 
most 7 -I- 3j and independent of v, and (14) says that 7 determines a unique v. 
Therefore we have to exclude at most sixteen values u G Fg to make sure that 
Fff has no triple or higher factor. 

Otherwise, if C 2 yf 0, we can eliminate v from (14) and (15) to obtain 



1 



• fi{x) ■ 



Cog^hx^) - C2g3\x^) + w{Cogl‘^2i(x^) - C2gZ\{x^)) 



= 0 . 



The polynomial in square brackets is a fixed polynomial of degree < 6, not 
identically zero, of which 7 must be a root (as /i(7) = 0 would contradict co- 
primality). By (14) we see again that 7 determines a unique v, so that in this 
case we have to discard no more than six values of v. 



STEP 3. We show that for most v the polynomial Fp has no more than one re- 
peated factor and is therefore simple. The following argument bears comparison 
with [5], pp. 341-342, “Proof of (D)”. 
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We retain the notation E{x) for /g(x)/i(a;) — fo{x)f[{x). Assume that 71,72 
are distinct multiple roots of Ffj. Then = F'^{^i) = 0 (i = 1,2), and this 

also implies F{'-fi) = 0 (i = 1,2). Now, F{x) is equal to hi{x) — vD{x) with 
D{x) := C 2 x'^ — Cq and 

hi{x) := — wC 2 X^^^'^ + Cqx^'^ — 

- Coxg^/\x^) + wCox^^ - wCoxgl‘^\{x^) - x^ig^°\x^) - 

— wx^^ g\^^{x^) + C2xgf\x^) + wC2xg^^^{x^) . 

Solve the equation F{x) = 0 for u and put v = hi{x) / D{x) =: Hi{x). Then 
substitute this expression for v into /o to find fo{x)/fi{x) = h 2 {x) / D{x) =: 
H 2 {x) with 




As in [5], for any rational function (p{x) = Lpi{x) / ip 2 {x) G Fg(a;) we write 



B^{X,Y) 



MX)MY) - ‘Pi{Y)Mx) 
X -Y 



G F,[A,T] . 



One readily verifies that Bh^ {X, Y) and {X, Y) have total degree at most 
15 and 15 — 3j, respectively, and that (X,Y) = ( 71 , 72 ) is a solution to 



BhAX,Y) = BhAX,Y)=0 

that determines a unique v = i/i( 7 i) = 7 / 1 ( 72 ). If Bh^ and Bh^ are co-prime, it 
follows now from Bezout’s theorem [7] that the number of such pairs ( 71 , 72 ), and 
hence the number of values v we have to exclude, is bounded by 15 • (15 — 3j) < 
180. Therefore, what remains to be shown is that Bfj^ and B^^ indeed satisfy 
the condition of being co-prime. By Lemma 4 of [3], or by [ 6 ], it suffices to show 
that i/i and 7/2 do not decompose a functions of the same non-linear rational 
function. 

Suppose Co = 0. Then h\ has linear coefficient C 2 (Ai 3 -|- wA^i+i) yf 0, 
therefore x (but not x^) cancels from Hi{x), so that its denominator has degree 1, 
which implies that 7/i is indecomposable. 

Next suppose Co yf 0, C 2 = 0. Then H 2 is a polynomial of degree 12 — 3j. 
For j = 3 this is prime. For j = 1 the only possible decomposition type in terms 
of the degrees (wi, W 2 , Pi, P 2 ) is (3, 0,3,0), and for j = 2 it could be (3, 0,2,0) 
or (2, 0,3,0). All of these can be ruled out “by hand” (i.e. assuming an explicit 
decomposition and comparing coefficients, similarly to Case (3) of Sect. 4). Hence 
H 2 is indecomposable. 

Finally suppose C 0 C 2 yf 0. Assume first that 772 is in lowest terms. Then 
for J = 1 and j = 3 we get indecomposability because deg /12 is prime, and for 
j = 2 the only possible decomposition types are (wi, W 2 , Pi, P 2 ) = (4,0,2, 1) or 
(2, 1,4,0), both of which can again be eliminated by explicit discussion. Next 
assume a linear factor cancels from 7 / 2 . Then we get indecomposability from 
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degree 1 of the denominator. Finally assume that C2X^ — C'o divides h2{x). Note 
that ru = 0 (because C'o yf 0) and 

hi{x) = —x^^{C2X^ — Co) + x^^h2{x) + xL{x^) 

where L(x^) := C2g^\x^) — Cog^/\x^) is not identically zero by assumption. 
From 

x‘^L{x^) = (C2X^ - Co) g3°\x^) - Coh2(x) 

it is clear that C2X^ — Co divides L{x^) and hence also hi{x). Moreover, as L{x^) 
is a polynomial in x^, we must in fact have {C2X^ — Cq)^ | L{x^). For j = 2, 3 this 
already yields a contradiction, since in these cases deg L{x^) < 3. For j = 1, 



L{x^) = {C2X^ - Co)^ with k := C2A7 - C0A5 G F* . 

^2 



(16) 



Performing the division of h2{x) by C2x’^ — Co, we obtain 



H2{x) = cc® + 



^5 6 

C2'" C| 



x"^ + terms of lower degree , 



which can only decompose as Q{R{x)) with deg Q = deg R = 3. Now Hi{x) = 
— + x^H2{x) + xL(x^) l(C2X^ — Co) is in fact of degree < 9, and the x^-term 
has coefficient —kjC^. If Hi{x) = P{R{x)), with R as above and deg P < 3, 
then clearly the coefficient of is zero, i.e. k = 0 in contradiction to (16). 
Therefore Hi cannot decompose as a function of the same function as i?2- This 
completes the third step of (iii) and thereby Case (II). 



Case (III). If one of Glio,2li3 is non-zero put w := 0. In the situation Aio = 
A\3 = 0 proceed as follows: put w := 0 if also A^ = A3 = Q (i.e. g^^^ = 0 
identically, which is possible in this case); otherwise choose I G {1,2} such that 
A3/+1 ^ 0 and put w := 1. 

Now choose S3 := u G F*, 512-3; := w (ignore this if w = 0) and S12 := uv 
with V G Fg. Then /(x) = Fu{x) = fo{x) + m/i(x) with 

/o(x) = x^^ -I- x^(?3^^(x^) -I- g^^\x^) + wx^*+^ -I- rcx^g[^\(x^) -I- w(/|°\(x^) , 

/i (x) = x^° -I- x'^g^^ (x^) -I- § 2 °^ (x^) + vx . 

In the special case g^^^ = 0 cancel a factor x and work with 

/o(x) = x'^'^ + xgf\x^) , /i(x) = x'^ + xg^^\x^) + V . 

In all cases we aim to establish the conditions of Lemma 3. 

(i) Co-primality. In the situation where (/g yf 0 we have arranged that x is not a 
common factor of fo and /i. By the usual argument, excluding at most thirteen 
values V from Fg ensures co-primality. 
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In the case = 0 we have to avoid u = 0 and up to eleven other values 

V e ¥q. 

(ii) Indecomposahility. If yf 0 we have deg /o = 13 prime. 

The situation for g^^ = 0 is more complicated. From (8), there are six possi- 
ble decomposition types {u>i,uj 2 , Pi, P 2 ), namely (3, 0, 4, 3), (2, 1, 6, 3), (3, 2, 4, 1), 
(4, 3, 3, 0), (4, 1, 3, 2) and (6, 3, 2, 1). The first four can be ruled out “by hand” as 
above. For the remaining two equate denominators in (7) to find that R^ix) \ fi{x) 
and also R^ix) \ /{{x) = A 2 X^ + A^x^ -I- Ag G Fg[a:^]. Hence R{x) divides a 
fixed quadratic polynomial in F^[a;] and can have at most two roots. Moreover, 
R 2 {x) I fi{x) — xf{{x) = {x + v^/^Y , so we must have v = —7® where 7 is a root 
of R 2 {x). This leaves us with at most two values of v which need to be excluded 
to ensure indecomposability. 

(iii) No factor of multiplicity divisible by 3. We show indeed that fi is square-free 
for all but a small number of v. Clearly, if this is shown for fi in its original 
meaning, this covers also the case where /i is reduced by a factor x. Suppose 
7 G Fq is a double root of fi . Then it satisfies both 

fi{x) = x^° + x"^ g^\x^) + g^\x^) + vx = 0 (17) 

and 

f[{x) = x^ - xg!^\x^) + V = 0 . (18) 

From (18) we get v = —x^ + xg^\x^), which in (17) gives —x^g^\x^) + 
= 0. This means 7 is a root of a fixed polynomial of degree at most 8 
that is not identically zero. Consequently there are at most eight simultaneous 
solutions to (17) and (18), each of which determines a unique v. Excluding these 
values of v makes fi square- free. 

(iv) Discriminant. This is deferred to the next and final section. 



6 Sn or 

The outstanding new feature of the ternary case, in comparison to the binary 
case [4], is the appearance of the alternating group An as the common Galois 
group G = G. We have already seen situations — Case (2) with H5 = 0 and 
Case (4) in Sect. 4, and Case (I) in Sect. 5 with one of Hn,Hi3 zero — where 
this is genuinely the case (i.e. no matter which of the possible v we choose). On 
the other hand, the use of Lemma 2 in Case (II), the “most general” case, in 
Sect. 5 means that here we are automatically always in “situation S” . The overall 
impression is that “situation S” is the standard case, but “situation A” inevitably 
occurs in some exceptional situations. This will be confirmed by Case (III) of 
Sect. 5, which we are now going to complete with the analysis of the discriminant 
Aj; (criterion (iv) of Lemma 3). Recall that Case (III) imposes relationships 
between the A^. 
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To this end we use the following lemma, an elementary proof of which we 
include in a forthcoming paper on the general problem. In terms of ramification 
theory it exploits the relationship between the “different” and derivative, as 
in [1], Chap. 1, Prop. 6. 

Lemma 4. Let fo, fi and he as in Sect. 3, f := fol fi- Assume that /o 
and fi are co-prime. Write the part of E{x) = fg{x)fi{x) — fo{x)f[{x) that is 
co-prime to fi as 

r 

J=1 

Then the discriminant of Fu{x) is equal to 

r 

c ■ — f{fdj)Y^ with a constant c G F* . 

i=i 



Suppose, in our situation, that a is a common root of E and /i. Then 
fo{c()fi{c() = 0 and, since /o(a) yf 0, a must be a repeated root of f\. As we 
have already arranged in part (iii) that such roots do not exist, we can assume 
that E is co-prime to fi . By Lemma 4 this means that all its factors contribute 
to the degree of A^ in u. Hence to prove that A^ is a non-square in Fg(u) it 
suffices to show that the degree of E{x) is odd. 

Consider first the situation where yf 0. Then Co yf 0, 

(i = 0, ... ,3) with C := C'2/C'o, and 



E{x) = (Cx^ — 1) • Ai 3 (x® -I- w) -I- 



If j = 1 then E{x) is of degree 9 or II provided we avoid v = — A13/C0. If 
j = 3 then Aio = Cq yf 0, hence w = 0, and E{x) reduces to (Cx^ — I)(Ai3X® -I- 
vAiox^ -\- XA13), which is either of degree 9 or II (if A13 yf 0), or of degree 3 or 
5 (if Ai 3 = 0 and we avoid x = 0). It remains j = 2. Then either rx = I with 
? = 1, or rx = 0, and 

E{x) = (Cx^-1)- [A13X® -I- (xAy — ■ixAio)x® -I- xAiox^ -I- {vAio-\- vwA-j)\ . 

This is of degree 9 or II if A13 yf 0. 

From now on suppose A13 = 0 (still in the case j = 2). Then 

E{x) = (Cx^ — 1) • [ (xAy — rxAio)x® -I- xAiqx^ -I- xrxAy] 

is of degree 8 whenever x yf 0 (note that Ay = C2 yf 0 and one of w, Aio is zero). 
In this case we can try to show that A^ has a factor of odd multiplicity. Closer 
inspection reveals four possibilities to examine as follows. 

(a) At yf 0, all other Ak are zero. 

(b) Ay, Aio yf 0, all other Ak are zero. 

(c) As, Ay yf 0, all other Ak are zero. 

(d) As, Ay, Aio yf 0 (then also Ag = AsAio/Ay yf 0), all other Ak are zero. 
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(a) Here fo{x) = +x^ + + A^j, fi{x) = x^'^ + A’jx^ + vx. Maple calculates 

Ax = v^A^^u^, which is a square in Fq(u) — once again we find ourselves in 
“situation A”. 

(b) Here fo{x) = x^^ + A-jx^ + A\qx^ and f\{x) = x^^ + Ajx^ + vx+ A iq. We have 

E{x) = —vA’jx^{x^ + A10/A7); this has triple roots 0 and a := A10/A7. 

As /(O) = 0 , the root 0 contributes a factor to Ax by Lemma 4 . Hence, 
to show that Ax is a non-square in Fg('u), it suffices that f(a) yf 0 . Indeed, 
one finds fo(a) = yf 0. 

(c) Here fo{x) = {x^ + l)/2(x) and fi{x) = x^f2{x) + vx with f2{x) := + 

Asx^ -I- A7. E{x) = vA^i^x"^ — A7/A5)(x® -I- 1 ) has roots ±a, where a := 
\/ A-jjA^^ and ±/ 3 , where /3 := One finds /o(/ 3 ) = /o(— /?) = 0 , so 

that ±/3 together contribute u® to Ax- Therefore, to show that Ax is a non- 
square in Fq(M), it suffices that f{—a) yf f{ct). It is easily checked that the 
choice V = A^jA^ is permissible (that is, conditions (i)-(iii) of Lemma 3 
are satisfied and /i is square- free). With this, /i(a) = = fi{—ce) and 

/o(— a) — /o(a) = = a^{Aj/A\ + 1), so that indeed /(—a) yf /(a) 

whenever A5 yf — A7. If, however, A5 = — A7, then the same choice of v 
becomes — A7, and Maple finds Ax = v^A^^u^, a square in Fg(u) (“situation 
A”, at least for this particular v). 

(d) Here fo{x) = x®/2(x) and fi{x) = f2{x) + vx with /2(x) := x^® -I- A5X® -I- 
A7X® -I- Agx^ -I- Aio- E{x) = uAsx®(x^ — At/A^){x^ + A10/A7) has roots 0 , 
±a with a := \/ A^jA^, and j 3 := ^-AiqIA-j. One finds /o( 0 ) = 0 and 
/o(/?) = yf 0 , so 0 contributes m® to Ax, and [3 contributes a triple factor 
different from u®. Therefore Ax is a non-square in Fg('u), unless exactly one 
of f{Ea) coincides with 0 and the other with f{( 3 ). 

To study the latter possibility, assume without loss of generality that /(a) = 
0 and f{—a) = f{( 3 ). One calculates 

/(/?) = , with Ai := /312 ^ ^2 := / 3 ® , 

A2 -I- u 

and, using /(a) = 0, 

Ao 

/(—a) = with A3:=— a®A7, A4 := q;^A7 . 

A4 -I- X 

Then /(/ 3 ) = /(—a) if and only if (Ai — As)^ = A2A3 — A1A4. Clearly, if 
-^3 y^ •^i this can be avoided by a suitable change of v. 

It remains to examine the situation for A3 = Ai. Then we have also A1A4 = 
A2A3, which is equivalent to P = —a, and from A3 = Ai we further deduce 
A7 = — Let e denote a square root of A7 and 77 a square root of A5 such 
that a = e/r] (i.e. f{sjr]) = 0 ). Then = A7 = —e^/rf, i.e. rf = — e®, and 
this relation allows us to write our coefficients as 

A^ = rf', Ar = e^, Ag = — = -^ and Aio = = -Ag . 

77 A7 




180 Rail Franken and Stephen D. Cohen 



Now, with the help of Maple, and using 77 ^ = one determines 

+ Tf£^v^)u^ — 

_ (j^l4g2r,3 _|_ J^12g6r,2)y3 _|_ j^l6g4^2^2 j ^ _ 

= [ {A\v^ — + A‘^A‘yv‘^)u‘^ — 

- {AIAyv^ + AlA^v‘^)u^ + A\A^v'^u^"\ ^ , 

a square in ¥q(u). This is another remarkable sporadic appearance of “sit- 
uation A”. (For an example where this actually occurs, take ^5 = ^7 = ! 
and As = Aio = — 1 .) 

Finally, we have to consider the case = 0. Then E{x) = {An + vA 2 )x^ + 
vAsx^ + vAsx^ + vAii. If j = 1 avoid v = —AnjA^ to obtain deg E = 9, 
and if j = 3 then the degree of A is 3 or 9, according to whether An is zero 
or not. So suppose j = 2. Then deg if = 9 if An = 0. For An yf 0 we have 
E{x) = vAsX^{x^ + As/ As). This has always the triple root 0, which, as /o(0) = 
0, contributes to A^. The second triple root of if is a := ^—As/A^. Only 
when Ag = 0 do the roots coincide and we find (“situation A”). 

Otherwise /o(a) = yf 0 and A^ is a non-square in ¥q{u). 

With this the proof of Theorem 1 is complete. 
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Abstract. It is shown that the Gray map on .^^ 2 , where p is a prime 
and n a positive integer, yields the same result as an appropriate exten- 
sion of the well-known “(M|ti-|-u)-construction”. It is also shown that, up 
to a permutation, which is a generalization of Nechaev’s permutation, 
the Gray image of certain ^^ 2 -codes of length n constructed from IFp- 
cyclic codes of length n are IFp-cyclic codes of length pn with multiple 
roots. These results generalize some of those appearing in [21]. Examples 
are given in order to illustrate the ideas. 



1 Introduction 



If n is a positive integer and is the ring of integers modulo 4, it follows from 
their definitions that the Gray map on .S'J and the “(m|u -I- u)-construction” 
yields the same result (cf. §3.1). Furthermore if C\ and C 2 are binary cyclic 
codes of length n with generating polynomials g\ and gig 2 respectively, where 
gi and g 2 are coprime divisors of x" — 1, n odd, then, up to a permutation, 
the “(ulu -I- u)-construction” of these cyclic codes is the same as the repeated- 
root binary cyclic code of length 2n with generator polynomial g\g 2 i a problem 
treated in [21] (see also [2]). The purpose of this note is to show that the same 
kind of results are valid for the case of the Gray map defined on ZZ'^ 2 , the ring 
of integers modulo , where p is a prime and an appropriate extension of the 
“(Mj'u-l-w)-construction”. Let Ci =< gig 2 • • • gt >, for f = 1,2, ...,p, be Fp-cyclic 
codes of length n, where the polynomials gi are monic pairwise coprime divisors 
of x" — 1, with (n,p) = 1. Then, up to a permutation which is a generalization of 
Nechaev’s permutation (cf. §2), it is shown that the Gray map image of a 
.S'p 2 -code D of length n constructed from the cyclic codes CiS, is a repeated-root 
Fp-cyclic code of length pn whose generating polynomial is obtained from those 
polynomials generating the cyclic codes Ci (see §4 for details). Some examples 
are given in order to illustrate the ideas. The ring ^p 2 plays an important 
role in other contexts, for instance in the construction of partial and relative 
difference sets in the Galois ring GR(p^,m) and related results (cf. [5], [15]). In 
the description of the Kerdock code over this Galois ring ([20]) and nonlinear 
p-ary sequences ([11]). 
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The problem of repeated-root binary cyclic codes has been discussed in [21], 
[2], [10]. If Cl and C2 are binary codes the construction C2 -l-2Ci has been used 
recently in [4] to express the Gray images of (free) cyclic codes over the ring 
F2 -I- MIF2. Also in [14] the same construction is used to study cyclic self-dual 
codes over the ring ^4 and in [3] where the codes Ci and C2 are the Reed-Muller 
codes RM{r, m) and RM{m — r — 1, to) for 0 < r < respectively, to study 
type II codes over the ring Z 4 . In [22] the same construction is used to describe 
some families of ^4-cyclic codes. 

The paper is organized as follows: in the next section a generalization of 
Nechaev’s permutation ([13], [23]) which will be useful in the rest of the paper 
is given. In Section 3, well-known facts about the “(u|M-|-u)-construction”, Gray 
map and repeated-root cyclic codes in the binary case are recalled. In Section 
4, the main results are presented and some examples are provided in the last 
section. 

2 The p-Permutation 

For an odd positive integer n let the permutation a be defined on the set 
{0, 1, 2, ..., 2n— 1} as CT = (1, n-|-l)(3, n-|-3) • • • (2i-|-l, n-|-2z-|-l) • • • (n— 2, 2n — 2), 
where the elements 0, 2, 4, ..., 2n— 1 are invariant under a, induces a permutation 
n on the cartesian product F2" in the following way. If 

11 — (iZo , ZZi , . .. , Un —1 j^n 5 ^n-t-1 5 ■ 5 ^2n— 1 ) ^11^2 

then 

.^(a) ('^^(t{ 0) 5 5 ■ • • j ^<r(n — 1) 5 I ^cr(n) j ^(r(n-t-l) j ■■ ■ ) ^(r(2n— 1) ) ■ 

This permutation on IF2", called Nechaev’s permutation (cf. [13]), has been 
used by several authors in determining properties of binary and quaternary codes 
([23], [9], [16], [18]). 

For a prime p and any positive integer n such that p < n, let N„p be the set 



{0 


1 


2 


p 


• n — 1 


n 


n -1- 1 


n -1- 2 


n + p 


• 2n - 1 


2 n 


2n -1- 1 


2n -1- 2 


2 n + p 


• 3n - 1 


{p- l)n 


{p — l)n +l {p 


- l)n + 2" 


■ ■ {p— l)n + p ■ ■ 


• np — 1} 



Observe that this array has n columns numbered 0,l,2,3,...,n— 1 and p rows 
numbered 0, 1, 2, ...,p — 1. We define the permutation a on the set iV„p as the 
composition (product), i.e., a = ao ■ (J„_i of the following p-cycles aj given on 
each column of the above arrangement as: 

— aj = identity if j = 0 mod p 

- = {j,U)p'n' + j,{ 2 j)pn + j,...,{{p-l)j)pn + j), for j = 1,2, ...,p-l where 
(s)p means reduction of s modulo p 
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— am = aj a m = j mod p, for j = 0, 1, 2, ...,p — 1 

This permutation induces a permutation U on the cartesian product IFp^ in 
the following way. If 



U — (uo 5 Ui , . . . , Ufi —1 \ Un 5 ttn-t-1 5 ■ • ■ i 1 1 ’ ’ ’ I ttfp— l)n i ; • ■ • ) ^pn—l) C IF^^ 



then the vector 7T(u) with np coordinates is the concatenation of the consecutive 
rows of the following arrangement: 



7T(u) 



/ U^( 0 ) 

I '^cr{n) 



'^(7{1) ‘ ‘ * '^(7{n—l) \ 

'^{7(n+l) * * * '^a(2n—l) I 






'^cr{np—l) 



J 



This permutation on will be called the “p-permutation” and it will be 
used in the next section to describe some properties of the Gray map image of 
codes defined over the ring Zp2 . The permutation II has also been considered in 
[9]. Observe that if p = 2 the p-permutation is precisely Nechaev’s permutation. 



3 Gray Map, “(w|w + t;)-Construction” and Cyclic Codes: 
the Binary Case 

In this section some facts about the “(■u|w-|- u)-construction”, the classical Gray 
map, i.e., over ^4, and repeated-root binary cyclic codes are recalled. To be 
more precise, it is shown that if Ci and C2 are two binary cyclic codes of length 
n, D = C2 + 2Ci = {c2 + 2ci e .S'J, Ci G Ci} and <P is the Gray map on ^4 
then <P{D) is the same as the well-known “(m|u -I- u)-construction” on certain 
subsets of F2 associated to Ci and C2. It is also shown that the code obtained 
by applying the 2-permutation to the “(u|u-|- u)-construction”, or equivalently, 
to the Gray map image of the code D, is a repeated-root binary cyclic code 
of length 2n whose generator is given in terms of the generators of the codes C\ 
and C2. The problem of repeated-root cyclic codes was treated in [21] (see also 
[2]). In the next section, this construction is generalized to Fp-codes, a relation 
with a suitable “{u\u + u)-construction” and the generalized Gray map on the 
Galois ring GR(p^,m) are given. 



3.1 The “(m|m + u)-Construction” and the Gray Map 

We first recall the “(u|m -I- ^(- construction” ([12], page 76). Let U and V be two 
(non-empty) subsets of the cartesian product i?™, where i? is a finite (commu- 
tative) ring and m is a positive integer. The “{u\u + ^(-construction” on U and 
V is the subset r{U, V) = {U\U + V) of given by: 

{(u|u + v) : u e U, V G F} = {(mo , Um—1 \uq + '^m— 1 '^m— 1 )} 
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where u = {uq, G U, v = (vq, G V and the bar means 

concatenation. 

Observe that if R = Fg, a finite field with q elements, if [/ is a [m,r,6]- 
Fg linear code and V is also a [m, s, A]-Fg linear code, then {U\U + F) is a 
[2m, r + s,d = min{25, A}]-Fg linear code ([12]). 

We recall the definition of the Gray map on where Z4 is the ring of 
integers modulo 4 and n is a positive integer (cf. [7]). First observe that any 
element a G Z4 can be expressed as a = ro(a) + 2ri(a), its binary expansion, 
where ro(a),ri(a) are in F2. The Gray map <P : 7Z,4 — > F2 is given by ^{a) = 
(ri(a),ri(o) + ro(a)). This map can be extended to in the natural way 
(coordinate- wise) : if a = (ao, ai, ..., On-i) G TZ'l, then, 

<d> -.TZl — > F^", 



is given by: 

^(a) = (ri(ao), ..., ri(a„_i) jri(ao) © ro(ao), ...,ri(a„_i) © ro(a„_i)). 

It is well-known that is a bijective isometry with respect to the Lee metric 
on 7Z\ and the Hamming metric on F2" ([7]). 

Let 

-Ro = {(?’o(^^o),'ro(^^i), •■•,ro(f„_i)) G F2 : v = (uo,Wi, ...,fri-i) G ^4} 
and let 

7 ?i = {(ri(uo),ri(x;i), ...,ri{vn-i)) G : v = {vo,Vi, ...,Vn-i) G ^4}. 

From the above definitions it follows that the “(■u|u + r')-construction”, (i?i|i?i + 
i?o) on the sets Ri and Ro, is precisely the image of the Gray map on ^4, i.e.: 

<?(^J) = (i?i|i?i+ii-o). 

In particular, if Ci and C2 are two binary codes of length n, then the code 
D = C 2 + 2Ci = {a + 2b = (oq + 26q, ..., a„_i + 2&„_i) : a = (oq, ..., a-n-i) G 
C2,b = {bo, ..., bn-i) G Cl} C 2Z'\ is such that its Gray map image ^{D) is 

<^{D) = (C1IC1 + C2). 

It follows that ^{R>{ is a F2-linear code. 

3.2 The Gray Map and Cyclic Codes 

Let n be an odd positive integer, x" — 1 = /i(x)/2(x) • • • fr{x), with each fi{x) 
monic irreducible and pairwise coprime. If gi{x) = fi{x) ■ • ■ fk{x), g2{x) = 
fk+i{x) ■ ■ ■ fs{x), which are coprime, let Ci =< gi{x) >, C2 =< gi{x)g2{x) > 
be the ideals in F2[x]/(x” — 1) generated by gi{x) and gi{x)g2{x) respectively. 
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i.e., cyclic codes of length n. In [21] it is shown that the repeated-root cyclic 
code C =< gi{xY g 2 {x) >C F2[cc]/(a;^” — 1) is equivalent, up to a permutation 
on the coordinates, to the linear code (CijCi -I- C2). Hence the cyclic code C 
is equivalent to the Gray map image ^(-D) of the code D = C 2 + 2Ci C 7Z'\. 
Observe that in this case C2 C Ci. 

It is easy to see that the permutation that takes the binary linear code 
to the linear (cyclic) code C is precisely Nechaev’s permutation, introduced in §2. 
In fact, in [21] it is shown that if a(x) € Ci and b(x) € C 2 then the polynomial 

w{x) = (x" — l)a(x) -I- b{x) + (x" — l)be(x^) 

is an element of the ideal C =< (/i(x)^52(a^) >C F2[x]/(x^” — 1), where be{x‘^), 
the even part of b{x), is such that b{x) = 6e(x^) -I- xbo(x^). If a{x) = oq + aix -I- 
• • • -I- and b{x) = bo + b\x -I- • • • -I- it is easy to see that the 

vector w associated to the polynomial w{x) is the concatenation of the rows of 
the following arrangement: 

/ oo, ai-k&i, 02, 03-I-63,---, a„_i, 

\ao + bo, oi, 02 + 62, 03 , • • • , o„_i + 6„_i 

Applying Nechaev’s permutation to the vector w, that is, the 2-permutation 
n as introduced in §2, we obtain: 

I oq, oi, 02, 03 ,•••, o„_i, 

\^Oo + bo, Oi + 61, 02 + 62, 03 + 63 , • • • , 0„_1 + bn-l 

which is precisely the element (a|a + b) of (Ci |Ci + C2), where a = (oq, oi, ... 
,o„_i) and b = (6 q, 61, ..., 6„_i). Since the Gray map is bijective, by dimension 
arguments it follows that n{C) = (Ci|Ci + C2) = ^{D); i.e., 

C = n~\<P{D)). 

We observe that any binary cyclic code of length 2n arises in this way. In fact 
if C =< g'{x) >C F2 [x]/(x^” — 1) is an ideal, where g' [x) is a monic divisor of 
(x^” - 1), then since x" - 1 = /i(x)/2(x) • • • /^(x), /i(x) yf /j(x), 0 < z, j < r, 
with each fi{x) monic irreducible over F2[x], we have x^" — 1 = (x" — 1)^ = 
fKx)fiix) ■ ■ • /2(x). Thus g'{x) has the form (x) • • • (x)/,y(x) • • • fj,{x) = 

o(x)^6(x), where o(x) and 6(x) are binary monic coprime divisors of x" — 1. Let 

C'l =< o(x) >, C '2 =< 6(x) >, 
then the above argument shows that 

i7(C') = (G(|G] + G'). 

According to [23], a ^4-cyclic code M of length n can be thought of as a 
principal ideal M =< g{x) > of ^4[x]/(x” — 1), where g{x) = a(x)[6(x) + 2] 
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and a{x), b{x) are coprime factors of x” — 1 in ^ 4 [x]. Then Mi =< a(x) > 
and M 2 =< a{x)b{x) >, where “y” means reduction modulo 2, are binary cyclic 
codes of length n, which may be called the “projections” of M on F 2 [x]/(x" — 1). 
Observe that M 2 C Mi. It would be interesting to give conditions on the cyclic 
code M under which it could be obtained from its projections, i.e., from the 
binary cyclic codes Mi and M 2 via the M 2 + 2Mi construction as described 
above. If II and <I are as above, it would be also interesting to give conditions 
on M such that II~^{<P{M)) =< a^{x)b{x) >. In [22] the authors deal partially 
with this question. 



4 The Gray Map, “(w|w + t;)-Construction” and Cyclic 
Codes over ^p 2 

Let p be a prime. In order to avoid confusion in the rest of the paper, “+” will 
denote the sum operation in the ring Zp 2 and “0p” will denote the sum in the 
finite field Fp. In this section it is shown that if n is a positive integer such that 
(p, n) = 1, then the Gray map <P on is the same as a suitable generalization 
of the “{u\u + v) -construction” . Furthermore if Cp , ..., Ci are Fp-cyclic codes of 
length n and D = {Cp 0p • • • 0p C 2 ) 0pCi C 2Zp2 then, up to the p-permutation 
introduced in Section 2, the Gray map image ^{D) is the same as a repeated-root 
Fp-cyclic code C of length pn. The generator of this code is given in terms of 
the generators of the codes C, i= l,2,...,p (for p = 2 this problem was treated 
in [21] and [2]). 



4.1 The Gray Map on .^”2 and “(m|m + v)-Construction” 

We show first that if p is a prime and n a positive integer such that (p, n) = 1, 
the (generalized) Gray map on 2Z^2 and a version of the “(M|M0u)-construction” 
yields the same result. 

Recall that any element u € ^p 2 has the p-adic expansion: u = ro(u)0ri(u)p, 
where Ti{u) G Fp. 

If u = (wo, ui, ..., Un-i) G ^p 2 let: 

ro(u) = (ro(uo),ro(Mi), ...,ro(u„_i)), ri(u) = {ri{uo),ri{ui), ...,n{un-i)). 
Identifying Fp^ with p copies of F”, the (generalized) Gray map 

<i-.2Z'^2^ f;p 

is defined as: 

^(a) = (n(a),ri(a) 0p (p - l)ro(a), n(a) 0p (p - 2)ro(a), ..., n(a) 0p ro(a)) 

where the sum and the products (p — f)ro(a), with i = 1,2, ...,p, are taken in 
Fp. The above definition of the Gray map is equivalent to the one given in [6] 
(see also [9], [17]). In any case the Gray map is injective. 
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Let the homogeneous weight, iwthom, on Zp 2 be defined by 
r 0 if a = 0, 

wthom{a) = \ P if o e pZZp 2 \ {0}, V a G ^p 2 , 

[ (p — 1) otherwise 

and, for a G ^p 2 , the value wthom(a) G ^ is taken as the sum of the homo- 
geneous weight of its components. The homogeneous metric, 5hom, is given by 
iJhom(a, b) = wthom(a — b) for all a, b G Let 5h denote the usual Hamming 
distance on Then we have (cf. [7], [6], [1], [16]): 

Theorem 1. The Gray map is an isometry between (^p 2 , <5hom) atid (IF”^, 5h)- 



For (non-empty) subsets Ui,...,Up of F”, a natural generalization of the 
“{u\u + u)-construction” is the following subset r{Ui, ..., Up) of F]]" given by: 



(Fi|C/i ©p {p - 1)[U2 ©p • • • ©p C/p]| • • • \Ui ©p [C/2 ©p • • • ©p Up] 

where “|” means concatenation. A typical element of this set has the form: 
(u(i)lu(’-) ©p {p - l)[u(^) ©p • • • ©p ©p (p - 2)[u(^) ©p • • • © u(p)]| • • • I 

©p [u(2) ©p---©p u(p)[), 

where ,u^^\ ...,Un'^) G Uj, for j = l,2,...,p. 

Let Ci, i = l,2,...,p be Fp-linear codes of length n and let D = (Cp ©p 
Cp_i ©p • • • ©p C 2 ) +pCi C Zp 2 . A typical element v = (uq, ^’i, "Pn-i) G D 

has the form Uj = (a-^^©pO-^“^^©p- • •©paf^)+pa-^\ where (ag-^\ ..., a|j‘'2i) G Cj, 
for j = 1, 2, ...,p and i = 0 , 1, ..., n — 1. 

Thus if a^j) = (uq\ ..., 0^2;^) G Cj for j = 1, 2, ...,p, we can write 

V = (a^P) ©p a(P~^) ©p • •• ©p a(^^)+pa(^K 



If V = (uo 7 'Pi, ■■■,v„-i) G H is as described above, from the definition of the 
Gray map it follows that: 

^(v) = ©p (p - l)[a(^) ©p • • • ©p a(p)j 

|a(i) ©p (p - 2)[a(2) ©p • • • ©p a(p)]| • • • [a^^) ©p [a<2) ©p • • • ©p a<P)] 

where “|” means concatenation and a^j) = (oq'^\ ..., a^^li), for j = 1,2, ...,p. 

The Gray map image, T>{D), of the ZZp 2 -code D as given above is precisely the 
“(u|'u+w)-construction” U{Ci , ..., Cp) on the codes Ci, i.e., ^{D) = U{Ci , ..., Cp). 
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4.2 The Gray Map and Cyclic Codes 

In this section, assuming each Ci is an Fp-cyclic code, it is shown that by 
applying the inverse of the p-permutation U introduced in §2 to the Gray image 
^(D) of the ^p2-code D as defined above, an Fp-repeated-root cyclic code C 
of length np is obtained. The generator of this cyclic code C is given in terms of 
the generators of the cyclic codes Ci. 

Let p be a prime and let n be a positive integer such that (p, n) = 1 with 
p < n. Let gi, p2, ■■■, Pp G Fp[x] be different monic pairwise coprime divisors of 
x" — 1 and let Cj =< gip2 • • • 9j > for j = 1 , 2 , ...,p be the Fp-cyclic codes of 
length n generated by the polynomial giP2 ■ ■ ■ 9j', he., they are ideals in the ring 
R{p,n) = Fp[x]/(a;" - 1 ). 

It will be shown that the cyclic code C, i.e., the ideal of R{p,np) generated 
by the polynomial 9i92~^ • • • 9 p-i 9 p is precisely where D = {Cp ©p 

• • • ©p C2) + pCi and n~^ is the inverse of the p-permutation U introduced in 
§ 2 . In order to prove this, it will be shown that the codeword 



i7-i(<^(v)) = n 

©p (p - 2 )[a(^i 



-1 



(a(i)|ai^i ©p (p— l)[a(^i 



,(p) 



>(p) 



,(i) 



,(2) 



,(p) 



is equal to the vector associated to a polynomial in the ideal 
c =< 9l9r" ■ ■ ■ 9l-i9p >■ 

We first observe that any element a(x) = oq + aix + U2X^ + • • • + 
of R(p, n) can be written as: 

a{x) = a^°HxP) + xa^^HxP) + • • • + xP-^a^P~^HxP) 

where 

qD(2,p) _ _|_ Qj+pxP H + aj+ptxP* H + Qj+psxP^ 

for j = 0, 1, 2, ...,p — 1 and j + ps < deg a{x). 

Let n be as above, let n = r mod p, with 1 < r < p — 1 and let 7 be a 
positive integer such that ry = —1 mod p, i.e., 7 = —r~^ mod p. Associated to 
the polynomial a{x), let 

p-i 

a(a;) 

i=o 

be an element of Fp[a;], where (j7)p is the reduction of j'7 modulo p. 

Since all non-constant monomials of a{x) have exponents divisible by p then 
a(x) = (a(x))P for some a(x) G Fp[x]. 

Proposition 1. With the notation as above, 

a{x) = a{x) mod (cc" — 1). 
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Proof. The proof follows immediately by observing that 

p-i 

a{x) — a{x) = {x^)x^){x'^^^^^’" — 1) 



x”™ - 1 = (x" - -h + . . . + 1) 

for any integer m > 1. 

From the previous Proposition it follows that if f{x) is any irreducible factor 
of x” — 1 and /(x)|a(x), then f{x)P\a{x). 

If the expression for a{x) given above is written as a{x) = X^r=cJ 
where no < rii <■■■ < Up-i (increasing powers of x), it can be seen that for 
any i = 0, 1, ...,p — 2 the difference Ui — Ui+i is a multiple of p. If n = 1 mod p, 
Ui — nj+i = kp for the same positive integer k and for all t = 0, 1, ...,p — 2, i.e., 
the difference Ui — rii+i is a constant multiple of p. In this case it is easier to 
control the powers of x in the operations which involve the expression for a{x). 
For simplicity, from now on it will be assumed that n = 1 mod p. In this case 
7 = — I mod p, i.e., we can take 7 = p — I. From the arguments given below 
it is easy to see that if n = r mod p, with the appropriate modifications the 
same results are obtained. Let Ci for z = 1, 2, ...,p and C be the Fp-cyclic codes 
introduced above. 

If Oi(x) G Ci, for z = 1, 2, ...,p, let 

ai{x) = af\x^) + xa-^\x^) H h x^~"" a^^~^\x^) 

and consider the corresponding polynomials 

p-i 

a,(x) = ^[af\xP)x^]x^^^^^^ 
j=o 

as described above. Let 

p 

w{x) = (x" - l)P-^ai{x) + (x" - l)P-2x”^aj(x). 

i=2 

Proposition 2. With the notation as above, the polynomial w{x) is an element 
of the ideal C =< glgl~^ ■ ■ ■ g^^Wp >■ 

Proof. First observe that since gi divides x" — 1 then g^~^ divides (x” — 1)^“^ 
and since a\ G Ci, by Proposition 1, g\ divides di. So, gf divides the first term 
of w{x). Also, (/i~^|(x” — and from the fact that at G Ci it follows that 

gi\di, implying that g^ divides each one of the other terms of w{x). Thus gf 
divides zz;(x). Since Pj|(x" — 1) and aj G Cj =< P152 • • • Pi >, by Proposition 
1, a similar argument as above shows that for j = 2,3, ...,p — 1, divides 

each term of w{x), proving the assertion. 
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The next step is to show that the polynomial w(x), or equivalently, the vector 
w of IFp*’ associated to the polynomial w{x), has the form 7T~^(^(v)) for some 
V G _D. 

In order to do so we find the vector w corresponding to the polynomial w(x). 
First observe that over the field Fp the following identity holds: 

— — ^ + y^~^ H i-y+i = (y - i) V] 

ft 

In particular we have: 



p-i 

j=i 



For any b(x) = bo + bix + • • • + G R{p,n), let B(b,n) be the 

arrangement with p rows and n columns, where ii s = j mod p, and 0 < s < n— 1, 
its s— th column is the transpose of the following p-tuple: 



n 



rn 



s + (p-l)n 

{P - j)bj {p-j- ^)bj ■■■ {p-j- r)bj ■■■ (p-j -(p- l))bj 



where the boldface entries indicate the position in the arrangement and the 
terms {p — t) are reduced modulo p. 

Let b{x) be the corresponding polynomial associated to b{x) as defined above. 
Then, by reducing modulo — 1, it is easily seen that the vector w(6) corre- 
sponding to the polynomial 6(x)x"(x" — 1)^’“^ is the concatenation of the rows 
of the arrangement B{b,n). 

If w(x) = (x" — l)P~^ai(x) + (x” — l)^~‘^x" (^) > it follows from the 

above observation that the vector associated to the term (x”— 1 )P“^x” (^) 

is the sum of the vectors w(a 2 ), ...,w(ap). 

It is also easily seen that if oi(x) = -t-a^^^xH hai^^x^-l ha^^2;^x”“^, 

the vector w(oi) associated to the polynomial (x" — l)^“^ai(x), that is, the first 
term in the expression of w(x), is the vector of length pn divided into p blocks 
of length n, each block having the form: 



(a, 



(1) „(i) 



,(i) 



1 “n-lb 



Summarizing, the vector w associated to the polynomial w(x) is the vector 
w(oi) -I- w(a 2 ) -!-•••+ w(ap). 



For 0 < j < p — 1 the action of the p-permutation U on the j-column of 
the arrangement B(b,n) is just shifting-down j-places, and if t = j mod p, the 
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action of U on the t-column is the same as the action on the j-column. Thus we 
conclude that 

7T(w) = <?(v) 

where v = 0p ©p • • • ©p +pa^^) with a^-^^ = (ag\a['^\ 

and are the coefficients of the polynomial € Cj, for j = 1, 2, 

If Pi =deg{gi) and m = ^^^i{p — i+l)pi, it is easy to see that the cardinality 
of D and the cardinality of C are the same and both are equal to From 

the fact that the Gray map II is injective we conclude that II{C) = ^{D), i.e., 

C = n~\<P{D)). 



5 Examples 

In order to illustrate the results presented in the previous section, some examples 
are provided. The first example is given with certain detail. 

Example 1 . In this example we take p = 3 and n = 4 . 

The Gray map on and “(u|u + u)-construction” 

First we show that the generalized Gray map on ^32 and the generalization 
of the “{u\u + u)-construction” given previously yields the same result. 

If C/i, U2, C/3 are (non-empty) subsets of Fg the generalization of the “(m|m + 
u)-construction” on these subsets is the subset T'(C/i, C/2, C/3) of (Fg)^ = Fg^ 
given as: 



r{Ui, C/2, C/3) = {(Ui|ui + 2 (u 2 + U3)|ui + U2 + U3), Ui G C/J 

(where the bar “|” means concatenation). 

Recall that any element u G ^32 can be expressed as u = rg{u) + 3 ri{u) 
with n{u) G Fg. If u = (uo, ■ ■■ yUs) G 7 Z\ let ro(u) = (ro(wo), • . • ,ro{u3)) and 
ri(u) = (ri(uo), ri(Mg)). Identifying Fg^ with 3 copies of Fg, the Gray map 
<P : ^32 — > Fg^ is defined as: 

^(u) = (ri(u)|ri(u) ©3 2ro(u)|ri(u) ©g ro(u)). 



Let 



V = {\ = (?^o, vi,U2,W3) e ^32 : Vi = {ct ©3 6j) + Sap a^,bi,Ci G Fg}. 

From the above definition of the Gray map on ^32 it follows that: 

^(v) = (a|a ©3 2(b ©3 c)|a ©3 (b ©3 c)) 

where a = (00,01,02,03)1 b = (^o> ^1, ^2, ^3)1 c = (cq, Ci, C2, C3) are in Fg. Hence 
^(V) = r{Ri, R2, R3), where Ri = .^32. 
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If Cl, C2, C3 are ternary linear codes of length n = 4 , let = (C3 03 C2) 0 
3 Ci C 2 Z\i. A typical element v = {vq,vi,V2,v^) € D has the form Vi = (cj 03 
bi) + 3 oi, i.e., ro(fi) = c* 03 6* and ri(vj) = o* where a = (00,01,02,03) G Ci, 
b = (60, ^1, &2, ^3) G C2 and c = (cq, Ci, C2, C3) G C3 with Ci,bi,ai G F3, for 
t = 0 , 1 , 2 , 3 . Therefore, v = (c 03 b) 0 3 a. 

From the above observations it follows that ^(D) is the “(u|M0r')-construction” 
r(Ci, C2, C3) on the codes Ci, that is, 



<Z>(i?) = C(Ci,C2,C3). 

Thus the Gray map on ^33 and the generalized “(u|w 0 u)-construction” as 
introduced above give the same result. 

The Gray map and cyclic codes 

Let i?( 3 , 4 ) = F3[a;]/(a;^ — 1 ) and let — 1 = 51(7253 where 51 = (a; — 1 ), 
52 = (a; — 2 ), 53 = {x"^ 0 1 ) are irreducible elements of F3[x]. Let Ci =< 51 >, 
C2 =< 5152 >, C3 =< 515253 > be the F3-cyclic codes of length 4 generated by 
the corresponding polynomials, i.e., they are ideals in the ring i?( 3 , 4 ). 

It will be shown that the ideal C of i?( 3 , 12 ) = F3[a;]/(a;^^ — 1 ) generated 
by the polynomial is equal, up to the inverse of the 3 -permutation 77 

as introduced in Section 2 , to the Gray map image 'P{D) of the code D = 
(C3 03 C2) 0 3 Ci, i.e., C =< 5 i 5253 >= n ^(< 7 ( 77 )). 

In order to do so it will first be shown that for any element v = (c03b)03a G 
D the codeword 77 “^ (^(v)) = 77 ~^(a|a 03 2 (b 03 c)|a03 (b03 c)) corresponds 
to an element of the ideal < gfg^gz >■ 

Any polynomial a(x) = oq 0 oia; 0 U2X^ + G 7 ?( 3 , 4 ) can be written as 
(remember that p = 3 and n = 4 ): 

a{x) = ai°i(x^) 0 a;ai^)(a;^) 0 x^a^^^x^) 

where 

ai°i(a;^) = oq 0 asx^, = oi, = 02. 

Since n = 4 = 1 mod 3 , let 

a{x) = ai°i(x^) 0 a;"‘+^ai^i(a;^) 0 a;^'"‘+^ai^i(x^) = (oq 0 a^x^) 0 02a:® 0 ma;®. 

Observe that a(x) = a(x) mod (x^ — 1 ) and each non-constant monomial of 
a(x) has degree multiple of 3 , and a(x) = a(x)^ for some polynomial a(a:) G 
77 ( 3 , 4 ). In particular if f(x) is an irreducible factor of (a;^ — 1 ) which divides 
a(x) then /(x)® divides a(x). 

Let a(x) = ao0aix0a2X®0O3X® G Ci, b(x) = bo + bix+b2X^ + b3X^ G C2 and 
c(x) = Cq 0 Cix 0 C2X® 0 C3X® G C3 and consider the corresponding polynomials 
a(x), b(x), c(x) as defined above. Let 



w(x) = (x"* — l)®a(x) 0 x^(x‘* — l)[7(x) 0 c(x)]. 
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We claim that the vector w associated to the polynomial w(x) is equivalent, up 
to the inverse of the 3-permutation, to the codeword 

^(v) = (a|a 03 2(b 03 c) |a 03 (b 03 c)) 

where a= (00,01,02,03), b = (&o, &i, ^2, ^3), c = (cq, ci, C2, C3) are in Fg. 

First observe that reducing modulo — 1: 

(x^ — l)^a(x) = a(x) + x‘^a(x) + x^a(x) = 

Oo 0 OiX 0 tt 2 X^ 0 OgX^ 0 UqX^ 0 OiX® 0 O2X® 

0030;'^ 0 OoX® 0 OiX® 0 tt2X^^ 0 OgX^^ 

and the corresponding vector is 



(oo, OI, 02, Ogjoo, Oi, 02, Ogjoo, Oi, O2, O3). 



Also, it is easy to see that 

x^(x^ — l)b(x) = —hix 0 b 2 x'^ — 0 bix^ — b^x^box^ — b 2 X^^ 0 bsx^^ 

corresponds to the vector 

(0, —bi, &2j 0| — bo, bi, 0 , — 63I60, 0, —b 2 ,bo) 

and 

x‘^{x^ — l)c(x) = —C\X 0 C2X^ — Cox"^ 0 CiX^ — CgX^CoX® — C2x'^^ 0 
is associated to the vector 



(0,-Ci,C2,0| - Co,Ci, 0 , -C3|co,0,-C2,C3). 



Therefore the vector w associated to the polynomial w{x) is the successive con- 
catenation of the rows of the following arrangement 



0-0 Qi — bi — Cl 02 0 62 0 C2 Og 

O'O ~ bo — Co Oi 0 &1 0 Cl 02 O3 — 63 — Cg 
ao 0 ^0 0 Co Oi 02 - 62 - C2 O3 0 63 0 Cg 



Applying the 3-permutation U as introduced in §2 to the vector w, we obtain 



Oo Oi 02 03 

n (w) = I Oo - 60 - Co Oi - 61 - Cl 02 - &2 - C2 ao - bo - Cg 

Oo 0 ^0 0 Co Oi 0 61 0 Cl O2 0 &2 0 C2 03 0 5g 0 Cg 



which is precisely the element 



<P{v) = (a|a 03 2 (b ©3 c) |a ©3 b ©3 c) 
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where v = (c 03 b) + 3a. 

From the fact that a(x) G Ci, b(x) G C 2 , c{x) G C 3 , for each polynomial 
7(0:) G IF 3 [x], 7(0:) = 7(a;) mod — 1) and ^{x) is the third power of a 
polynomial, it follows that w{x) is an element of the ideal C =< gfg^gz >■ If 
Pi =deg{gi), i = 1,2,3 and t = 3pi + 2p2 + ps, the cardinality of C and D are 
the same and equal to Since the Gray map is injective we conclude that: 

C = n~\<P{D)). 



Example 2. In this case we take p = 5 and n = 11. 

Let i?(5, 11) = Wii,[x\/ {x^^ — 1). Any element a{x) = oq 0 aix 0 • • • 0 agx® 0 
aioa;^° of i?(5, 11) can be written as 

a{x) = a^^\x^) 0 a^^^(a;®)a; 0 a^'^\x^)x^ 0 a^^\x^)x^ 0 a^'^\x^)x'^ 

where 

q,(o)(j, 5) _ _I_ Q(g3;5 _|_ a*-^^(x®) = Oi 0 = Og 0 arx^, 

q,(3)(2-5) _ Qg _|_ a^^^(a;®) = 04 0 agx^. 

Since n = 1 mod p, let 

d{x) = 0 {x^)x]x^^^'^'> 0 [a^'^\x^)x'^]x^^^'^'> 

Let 5i , (? 2 , 33 j 34 j 35 G F 5 [x] be different pairwise coprime divisors of the 
polynomial x^^ — 1 and let Ci =< 3132 • • • 3 ^ > for t = 1, 2, ..., 5 be the ideals of 
i?(5, 11) generated by the corresponding polynomials. For ai{x) = + a^^'^x + 

• • • 0 G Ci let 

w{x) = ai(a;)(a;^^ - 1 )"^ 0 [o 2 (x) H h a 5 (a;)](x^^ - l)^x^^ 

The arrangement 11) for j = 2, ...,5 has the form: 



/ 


0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


\ 


0 




34^) 


2a“ 


4 ^' 


0 


4a“ 




2a“ 


a“ 


0 




11 


12 


13 


14 


15 


16 


17 


18 


19 


20 


21 






44^'^ 




2 a« 




0 


44^') 


34^^ 




“8 


0 


4 „(j) 

a«io 






22 


23 


24 


25 


26 


27 


28 


29 


30 


31 


32 






34 '^ 


2a[^^ 
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44^'^ 


34 '^ 


2 a« 




0 


44^') 


0 (i) 

o«io 






33 


34 


35 


36 


37 


38 


39 


40 


41 


42 


43 






24 '^ 


a[^'> 


0 


4a“ 


34^^ 


20> 


«6 


0 


4a“ 


34 '^ 


Z«io 






44 


45 


46 


47 


48 


49 


50 


51 


52 


53 


54 
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«g 


0 




34^) 




a O') 
“5 


0 




34 '^ 


24^) 


“10 


/ 




The Gray Map on GR(p^,n) and Repeated- Root Cyclic Codes 195 



The vector w{aj) associated to the polynomial aj{x)x^^{x^^ — 1)^ is the (succes- 
sive) concatenation of the rows of the arrangement 11). Recall that the 

boldface entries indicate the coordinate position. 



The vector w(ai) associated to the polynomial oi(a;)(a;^^ — I)"* has length 
55 and is divided into 5 blocks of length 11. The entries of each one of these 
blocks are the coefficients of the polynomial ai(a;), i.e., each block has the form 



(' 



,(i) .(1) 



^10 



)• 



is: 



Summarizing, the vector associated to the polynomial w{x) as defined above 
w = w(ai) + w(o 2 ) + w(o 3 ) -I- w(o 4 ). 



If n is the 5-permutation as introduced in §2, it is easily seen that 7T(w) = 
^(a) whereas (a^^)05a(^)05a(^^05a(^))-|-5a(^) and a^-^^ = (ag'^\ ..., 

are the coefficients of the polynomial a^^\x) G Cj, for j = 1, 2, ..., 5. 

As it was shown, the polynomial w{x) is an element of the ideal, that is, of 
the cyclic code C =< the ring i?(5,55) = W^[x]/{x^^ — 1). In 

this case the cardinalities of D and C are both equal to 555-(5pi+4p2-i-3p3-i-2p4-i-p5)^ 
where pi =deg(gi). Since the Gray map <P is injective we conclude that 

c = n-^^D)). 

Conclusion. For any prime p the Gray map can be defined on the 'Z^i- 
module ^p2, and, following the ideas presented in [21], it is shown that the 
Gray map image of a code built from Fp-cyclic codes Ci of length n, is a cyclic 
code of length pn with multiple roots, whose generator is given in terms of the 
generators of the codes C/s. Some examples were provided to illustrate the ideas. 
It should be noted that the construction of the code D = (Cp 0p • • • 0p C2) +pC\ 
from the codes Cj’s could give more information. For instance, if p = 2 and 
Cl = C 2 it would be interesting to describe the ^4-code 0 = 0^ + 2C^ and 
give some of its properties. 

Acknowledgment. The author would like to thank the referees for their 
comments which greatly improved the presentation of this paper. 
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1 Introduction 

Given a positive integer n, any root of a primitive polynomial x" -I- -I- 

■ ■ ■ + an over the finite field Fg of q elements (where g is a power of a prime 
p) is a primitive (generating) element of the extension Fgn , by definition having 
multiplicative order g" — 1. For many purposes it is valuable to be assured of 
the existence of a primitive polynomial with a proportion of its coefficients pre- 
scribed (e.g., with many of the coefficients zero). Results are known guaranteeing 
the existence of a primitive polynomial of degree n over Fg with a fixed number 
TO of the “first” coefficients ai,...,am prescribed, where 1 < to < 3. See [1], 
[11], [7], [9], [10], [6], [3], [14] : some relevant facts are summarised at the end 
of this Introduction. Further results apply, for sufficiently large q (dependent on 
n), for a varying number of prescribed coefficients: thus, it is known that up to 
the first coefficients can be specified, see [8], [15]. Moreover, whereas the 
natural approach to such problems (working within the fields themselves) means 
introducing a restriction that the characteristic p should exceed to, recently Fan 
and Han [4], [5], [6] have shown how to eliminate such restrictions in problems 
of this nature by working p-adically and in Galois rings based upon Fg. Never- 
theless, as formulated thus far, results of the latter type — wherein a proportion 
of the coefficients are specified — have little validity when Fg (i.e., q) is small. 
In particular, they say nothing in the important case of the binary field F 2 . In 
this connection there is the result of Shparlinski [16], this time significant for 
sufficiently large n (in an unspecified manner), which established the existence 
of a primitive polynomial over F 2 of weight j -I- o(n). 

The purposes of this paper are to give a streamlined exposition of the Fan- 
Han method and to derive some unconditional results effective even for small 
fields. Key features are the application of estimates of Winnie Li [13] for mixed 
character sums with polynomial arguments over Galois rings and a sieving tech- 
nique. The first main conclusion is that, for any n, there exists a primitive binary 
polynomial with one quarter of its coefficients prescribed. 

Theorem 1. Given arbitrary positive integers n and m < j, there exists a 
primitive binary polynomial f{x) = x'^ + -I- • • • -I- On-ix -I- 1 € F 2 [a;] with 

either the first to coefficients Oi, . . . , or the last m coefficients a„_m, • ■ • j cin-i 
prescribed in advance (as O’s or I’s). 
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Through consideration of the reciprocal polynomial f*{x) := a;"/(l/x) of 
f{x) , it suffices to prove Theorem 1 when it is the first m coefficients that are 
prescribed. 

For ternary polynomials (q = 3), we prove unconditionally that one can 
specify up to one third of the first or last coefficients of a primitive polynomial. 

Theorem 2. Given arbitrary positive integers n and m < ^, there exists a 
primitive ternary polynomial f{x) = x" + + • • • + a„_ix + (—1)"“^ € 

Fa[x] with either the first m coefficients or the last m coefficients 

an-m, ■ ■ ■ , cin-i prescribed in advance. 

The constant term in a primitive ternary polynomial is necessarily (—1)"“^. 
Again by consideration of the (monic) reciprocal polynomial f*{x) := 

(— l)"“^x"/(l/x), it suffices to prove Theorem 2 when it is the first m coefficients 
that are prescribed. 

As q increases one could specify a larger proportion (up to one half), but 
we are content with the general result which follows. The single exception (with 
g = 4, n = 3, m = 1) was recorded already in [1]. 

Theorem 3. Given a prime power q > 3 and arbitrary positive integers n and 
TO < there exists a primitive polynomial x" + aix”“^ + • • • + a„ € Fg[x] with 
the first to coeff dents oi, . . . prescribed in advance, with the exception that 
there is no primitive cubic over F4 with zero first coefficient. 

The declared emphasis of this study is on “small” fields, because it is these 
that come nearest to testing the above theorems. Therefore we provide a com- 
plete analysis for fields Fg with g < 5. Of course, the techniques are valid for all 
values of g and n and we indicate how the proof flows in general. The difficulties 
are more organisational than actual. Nevertheless, for values of g < 13, there 
are some cases which have to established by direct computation: for example, 
n = 12 when g = 13. Note that there is a reasonable expectation that, with 
some further calculation, Theorem 1 may be “upgraded” to yield the equivalent 
result to Theorem 2. 

To complete this introduction, we explain how Theorems 1, 2 and 3 follow 
from known results in most cases for n < 12. First, the author’s study [1] of 
primitive polynomials with prescribed trace yields the results for n < 7 (g = 2) 
and n < 5 (g > 2). Next, Fan and Han [6] have shown that, for arbitrary 
g, there is a primitive polynomial of every degree n > 8, with the first three 
coefficients prescribed (though most of the details of the calculations in the cases 
that have to be settled by direct computation have been suppressed) . For g odd, 
these calculations are confirmed in detail in [14], where, with a few possible 
exceptions, all degrees n >7 are dealt with. This yields Theorem 1 for n < 15 
and Theorems 2 and 3 for 8 < n < 11. Earlier, for odd g, Han had shown the 
existence of primitive polynomials with two prescribed coefficients for n > 7 and, 
more recently, Cohen and Mills [3] have clarified this working and extended it, 
in great detail, to cover the cases n = 5, 6. Thus, our conclusions are established 
for n < 11 when g is odd. For g > 4 even, it is not clear that Theorem 3 has been 
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covered when n = 6 or 7, though from [7] and [9], it seems there is a primitive 
polynomial with arbitrary second coefficient. In conclusion, when q is odd we 
can assume forthwith that n > 12. When q {> 4) is even, we shall also make 
brief reference to the cases of n = 6, 7. 

2 Symmetric Functions and Power Sums in p-adic Rings 

For a general field F, let f{x) be an irreducible monic polynomial of degree n in 
F[x] with (complete set of) roots ^i, . . . , ^„ in a suitable splitting field. Then (up 
to sign), the coefficients are the symmetric functions of its roots: more precisely, 
f{x) = a;” — where at is the i-th symmetric 

function. The basic idea is to connect the values of the symmetric functions with 
those of sums of powers of the roots, which are easier to handle. Hence, for each 
i = 1,2,3,..., define Si := Cj- by symmetry, for each i, Si G F. By repeated 
application of Newton’s identities, which take the form 

rar = (7r-lSl — (Tr-2S2 + ' ' ' + (— l)’’“^Sr, r = 1, . . . , n, 

for a given m < n, evidently the values of si, . . . ,Sm are determined (uniquely) 
by those of ai, . . . , am- On the other hand, although Newton’s identities (as 
stated) hold in fields of arbitrary characteristic, the converse statement, namely, 
that the values of cti, . . . , am are determined by those of si, . . . , Sm, holds only 
in fields whose characteristic is zero or exceeds m. The conclusion is that, in 
order to develop this principle for application to an arbitrary finite field F^, it 
is necessary to transfer the argument to a ring of higher (prime-power) charac- 
teristic (a Galois ring), or even characteristic 0 (a p-adic ring or field). This is 
the motivation behind the discussion which follows. In it, q = p^, p prime, is a 
given prime power and n is a given positive integer. 

Let Qp be the p-adic field (i.e., the completion of the rational field with 
respect to the usual p-adic metric). Its ring of integers is, of course, closed under 
division by integers (g Z) indivisible by p. Also, let AT„ be the splitting field 
(in Cp , the usual completion of the algebraic closure of Qp) of the polynomial 
x‘^ — X over Qp. Define to be the set of roots of this polynomial — the 
Teichmiiller points of Kn- Clearly, its non-zero elements form a cyclic group of 
order g” — 1. Indeed, AT„ is the unique unramified extension of Ki of degree n. 
Let Rn denote the ring of integers of AT„. Then C "I* ^ 

Moreover, is a local ring with unique maximal ideal pi?„ and i?„/pi?„ = F^n. 

Now, let e be a positive integer. Define to be the set of classes of elements 
of T„ that are congruent mod p®, i.e., 71 and 72 are in the same class if 71—72 G 
p^Rn- In this context, retain the notation 7 for the class containing 7. Then 
7? = 7 for 7 G Fn^e- Passing to classes modp® of elements of yields a 

ring {Galois ring) Rn,e = {Z)i=o li G r„^e} = Rn/p'^Rn, so that Rn,e has 
cardinality g”®. Note that, for each e > 1, Rn,e/pRn,e — Fg» also. Observe too 
that Rn,i = 1, which can be identified with F^n. Conversely, each 7 G 

yields a unique lift (also denoted by 7) to every F„^e and ultimately to T„ itself. 
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Of course, an element of (multiplicative) order r (a divisor of <7" — 1) in lifts 
to an element of the same order in each and in _T„. In particular, a primitive 
element (a generator or element of order g" — 1) lifts to a primitive element in 
each case. 

Next, we consider objects relating to the extension F^n /¥g. Of course Ki is a 
subfield of K^, with Oi e C Iji g, and a subring of Rn,e- Similar relationships 
apply to the Galois rings. Further, note that the Galois group of Kn/Ki is 
isomorphic to that of F^n/F^, being cyclic of order n and generated by the 
Frobenius automorphism r„, where Tnij) = 7“^, 7 G G„. More generally, on 
Rn, Tn{Y,T=oliP'^) = V (where each 7* G T„). This induces a ring 

homomorphism r„ on Rn,e such that Tn(^®^Q 7iP*) = (where now 

each 7i c Rn,e)’ 

Recall that over F,j (and so over Ri^i)), — x is the product of all monic 

irreducible polynomials of degree a divisor of n. A typical monic irreducible 
polynomial f{x) of degree d (a divisor of n) in Ri^i[x\ has the form 

f{x) = (a; - 7)(a; - 7«) • • • (x - 7'^'' ^)=x'^ - aix‘^~^ H h {-lYaa, (2.1) 

where 7 G Rn^i and each aj G A,i = Ri.i- The polynomial / lifts to a (unique) 
irreducible polynomial of degree d over each Ri^e and over Ri having the same 
form, except that 7 is the corresponding lifted element of Ri^g or Ri. But note 
that, in general, the coefficients aj in (2.1) lie in Ri^e (or Ri), but may not be 
in (or Ri). From the above, the order of the polynomial / (which equals 
the order of any of its roots) or any of its lifts has the same value (a divisor of 
g" — 1). In particular, / is primitive if it is irreducible of degree n and has order 
g" — 1: this holds if and only if any of its lifts are primitive. 

For any 7 G Rn, define its trace (over i?i) as T„(7) := 7 + r„(7) + • • • + 
'’'n~^i.l) = 7 + 7* + • • • + 7”^" G Ri- Further, if r is defined as the genera- 
tor of Gal(AT„/Qp) such that = r„, where q = then evidently T„(7^’)(= 

T™(t( 7))) = r(r„(7)), 7 G Rn - It follows that Tnil^") = {Tn{i)Y ,3 = «, 1, 2, 3, . . 
A trace function with similar properties is induced on Rn,e- 

Next, let 7 G An be the root of a lifted irreducible polynomial f{x) G R\[x\. 
Later we impose conditions to ensure 7 is primitive: for the moment it suffices 
that / has degree n. Thus, (2.1) holds with d = n. Here at denotes the z-th 
symmetric function of the roots 7, 7^, . . . , 7® . Employing the trace notation, 

we have that Si, the sum of the z-th powers of the roots of /, is given by Si = 
Tn{'3^) G Ri- Of course, each Si depends only on / and not on the specific 
root 7: moreover, all this translates to the expansion of / as a polynomial in 
Ri^e[x\- Take m < n. Whereas, as we indicated earlier, knowledge of si, . . . , Sm 
(for f[x] G Fg[x] or i?i i[a:]) is generally insufficient to determine cti, . . . , a^n, the 
latter can be obtained from suitable information about si, . . . , Sm for the lift of 
/ to Rn or indeed to Rn,e for sufficiently large e. This is the key to the major 
advance of [4], [5] . 

We proceed to work with a lifted irreducible polynomial / of degree rz in 
i?i [x] and eventually its reduction to with e to be chosen. From now on, we 




Primitive Polynomials over Small Fields 



201 



shall reserve the letter t for a positive integer indivisible by p. Note from above 
that, for any such t, the value of Stpi for any i > 0 is already determined by St, 
and is given by := r*(st). So to specify {si, . . . , Sm}> say, it suffices to know 
the values of {st : t < m}. Next, for any t, write St = Yl^=o9t,jV^ i 9t,j G A, 

whence 9t jP^ ■ Since each positive integer I has a unique expression 

in the form I = tp9 , then any “s-component” gtj is uniquely associated with the 
integer tpP . The following lemma is the replacement for Newton’s identities in 
the general context. In its statement, a = 6 mod p for a,b G Ri is interpreted to 
mean that a = b as members of Ri,i- 

Lemma 1. Let j G Rn be the root of an irreducible polynomial f{x) G of 

degree n as above. Suppose m<n. Write m = Tp'^ , p\ T, J > 0. Then 

am = j + An-imodp, 

where Pm-i is a polynomial function overly of the members of {gtj : tp> < m}. 
Proof. The reciprocal polynomial to / is 



n—1 

f*{x) := 1 - aix + a 2 X^ H h (-l)”cr„a;” = ]^(1 - x) G Ri[x\. 

Now f*{x) G can be regarded as an (infinite) formal power series over K\. 

Invoking the expansion of f* in terms of the exponential power series function 
exp a; over Ki (see [12], Ch IV), we have a formal identity 



fix) = exp [ - ^ 



A(70a 



= exp - ^ 



SrX 



r—1 



r—1 



I 



= exp 



oo oo 






=n-p(-E 



V 



2=0 

p\t 



p^t 



i^O 



tp^ 



oo oo oo 



n n 

t—l j—O i—0 
p\t 



gljP> 

t 



( 2 . 2 ) 



It is automatic that the net coefficient of any power of x in the expression 
(2.2) is in Ri: all contributions to the coefficient which apparently lie in Ki \ R\ 
must cancel. 

Now (— l)’”(Jm is the coefficient of x™ in (2.2) and derives solely from the 
expansion of terms with tp* < m. Further, for the value of am mod p we need 
restrict consideration to terms with i < j. (This is because, if / := j — z > 1, 
then in the formal power series expansion of exp(cpA), c G R\, the coefficient 




202 Stephen D. Cohen 



c>'’' 



of x'" lies in pRi , since the power of p dividing r! is 





r 




r 


is 


— 


+ 






P. 




p2 


with tpd 


< m 



H < r.) 



ular, the expansion (modp) of the term in (2.2) with t = T, j = J begins 

■ • • . This series also appears in the full 



v’ 

I 9t.j ■ 
exp( — —X 



\ 1 .. 
■ ) = 1 7^X 



T 



expansion of (2.2): all other contributions (modp) to the coefficient of a;™ ef- 
fectively involve (a Z-polynomial in) s-components gtj with tp^ < m — 1. This 
completes the proof. 



Given m < n as in Lemma 1, define, for each t < m, the integer et > 1 by 
the inequalities < m < tp^*. Set e := ei; thus et < e for all t < m. The 

application which follows relates to lifts of irreducible polynomials to Ri^e for 
this choice of e. 

Corollary 4. Suppose m < n and A C Ri g[x] is a set of lifted irreducible 
polynomials of degree n with the property that, given any prescribed set {at € 
-Ri.et : t < to}, there exists a polynomial in A for which p^~^*st = p^~^*at for 
all t <m. Then, there exists an irreducible polynomial f{x) € whose lift 

is in A and whose first m coefficients are arbitrary specified values in i?ip. 

Proof. Call the value of tp9 of an s-component its rank. The given assump- 
tions can be summarised by saying that there is a polynomial in A with its 
s-components of rank < to prescribed. Since there is a unique s-component of 
each rank, the total number of prescribed s-components is exactly to. Equiva- 
lently, J2t<m e* = m. 

Suppose that two members of A are such that their s-components of rank < to 
do not all coincide (mod p), and let I = tip’f where 1 < ? < to, be the smallest 
rank where there is disagreement. Then the corresponding values of g^^ mod p 
are different, and, by Lemma 1, the corresponding values of u; mod p also are 
different. Thus, there is bijection between the set of possible values of the 
s-components of polynomials in A of rank < to and the possible values of 
the first to coefficients (mod p) of such polynomials. The result follows. 



3 Estimates of Primitive Elements with Specified Traces 

From now on, assume the prime power q = p^, the integers m < n and e and, for 
each t < m, the further integers e* are as in Corollary 4. By that result, we have 
to show that there exists a primitive 7 G for which the traces = 

Ti(p®~®*7*) = G Ri,e for an arbitrary given set [at G R\,et ■ t ^ 

We proceed to describe a standard expression for the characteristic function 
for a primitive element (generator) of a cyclic group in terms its multiplicative 
characters x> starting with = F*„. Let Pfe{= F*„) denote the group of mul- 
tiplicative characters of r„_e- With y G r* ^ is an associated character over the 
set of non-zero Teichmiiller points R* that extends to a character with conductor 
1 over Kn itself, see [13], Section 5. 
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Indeed, we consider a more general set than the one of merely primitive 
elements. Let Q be any divisor of g" — 1. An element 7 of g is called Q-free 
if 7 = a G r* d\Q implies d = 1. In particular, 7 is primitive if and only 
if it is g" — 1-free. 

For any d\ g" — 1, write Xd for a typical character in F* g of order d. Thus 
Xi is the trivial character. We employ a useful “integral” notation for weighted 
sums; namely, for d| g” — 1, set 




where (j) and /i denote the functions of Euler and Mobius respectively and the 
inner sum runs over all 4>{d) characters of order d. (Observe that only square-free 
divisors d have any influence.) Then the characteristic function for the subset of 
Q-free elements of Fn^e is 



^{Q) f Xd(l), lGFn,e, 

Jd\Q 



ld\Q 

(1 -ri). 



(3.1) 



where 9{Q) := = ]([ 

/|Q, / prime 

To deal with the trace conditions, we also need the additive characters of 
Rn,e- The canonical additive character is defined by 



V’(n)(6 = exp 



27TtT„fc(^) 






We write ip for the canonical character on Ri^e- Thus, for f G Rn,e, '4’(n){0 = 
ip(Tn{^)). Every additive character on Ri ^ has the form ipa, for some a G Ri,e, 
where ipa{C) = V’(c«0 ^ Ri,e- A key property (summing values of ip over 

a subring i?i_g , e' < e) is that, for ^ G R\,e, 



^ ip{p^ ® apP) 



if^ = 0 modp® 
0 otherwise. 



(3.2) 



Let at G Ri,et- H follows from (3.2) that the characteristic function of the set 
of elements 7 in Fn^e for which St{x*) (= T„(p®“®*7*)) assumes the value 
G i?i,e is 

^ ^ V'(/-^‘o(T„(7‘)-a*)). (3.3) 

Assume that, as in Corollary 4, {at G Ri,et • t < m} are given, and that 
Q| g" — 1. Define N{Q) to be number of Q-free elements in Fn,e with p^~^*st = 
p^~^*at G Ri^e, as at the head of this section. Employing the characteristic 
functions (3.1) and (3.3), we shall express N{Q) in terms of (mixed additive 
and multiplicative) character sums with polynomial arguments. To formulate 
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the underlying estimate (taken from [13], e.g., Corollaries 3.1 and 6.1), note 
that a polynomial h{x) € Rn,e[x] has a p-adic expansion of the form h{x) = 
hQ{x) + h\{x)p+- • - + he-i(a;)p®“^, where, for j = 0, 1, . . . e — 1, hj is a polynomial 
(of degree dj, say) with coefficients in Then the weighted degree Dh of h is 
defined by := max(doP®~^, . . . , de-i)- 



Lemma 2. Suppose that h{x) in Rn^e[x] contains no monomial of degree divis- 
ible by p. Then 



V'(«)(/i(7)) 



< {Dh - l)g2 . 



Further, if x is a non-trivial multiplicative character of F* then 



XI '^{n){Kl))x{l) 

76t"n,e 



< Dhq"^ ■ 



The key estimate is the following extension of inequality (6) of [5]. In it, for 
any positive integer I, we use 6{l) to denote the ratio and W{1) = 2“^*^ 
for the number of square-free divisors of /, where oj{l) is the number of distinct 
primes dividing 1. 

Proposition 5. Suppose that m < n/2 and e is as used in Corollary 4- Assume 
that {at G R\,et • f ^ ’ti} are given. Suppose that Q\ g” — 1. Then, the number 
of Q- free elements in Rn,e with prescribed p^~‘^*St € i?i,e fas described above) 
satisfies the bound 

N{Q) > 0(g){g”-’" - (1 - q-n{mW{Q) - l)(?t} (3.4) 

> e{Q)[q'^-'^ -W{Q)mq'i}. (3.5) 

Proof. By (3.1) and (3.3) and the fact (noted in the proof of Corollary 4) that 
J2t<m et = m, we have 

q^N{Q) = 6{Q) Y. j Xd(7) n I E V'(p"-^‘«i(T„(7‘)-ai)) 

7£.r„,e t<m [atefli.et 

= ^{Q)f E V'(-p''”®‘atat)5'(V'(n),Xd), (3.6) 

{at6fll,et : t<m} 

where 

S{f’(n),Xd) ■= E '^(")(^(7))Xd(7), 

76^’n.e 



h{x) = Ep'" 

t<.m 



and 
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a polynomial in Ri^e[x\. 

Now evidently, when h is the zero polynomial , i.e., at (€ R\,et) = 0 for all 
t <m, then S{tp(^n),Xd) = < 7 " — 1 when d = 1 and is 0 for d > 1. For all other sets 
{at G Ri,et '■ t < m}, by the convention on t, h satisfies the restriction of Lemma 
2. Moreover , the weighted degree of the typical monomial p^~^*atx^ G i?i,e of h 
is at most < m. Accordingly, < m. Thus, by Lemma 2, the absolute 

value of the contribution to the right side of (3.6) of the terms with /i yf 0 is 
bounded above by 

(g™ - l)g5{m - 1 + (VF(Q) - l)m} = - l){mW{Q) - 1), 

because there are <p{d) characters Xd for each d\ Q. We conclude that (3.4) holds 
and (3.5) follows. 

We remark that improvements in the bound (3.5) are possible — evidently, 
some of the polynomials h have less than maximal weighted degree, and also 
more careful summing over one of the at is feasible — but (3.5) suffices for our 
purposes here. Taking Q = g” — 1, we deduce the following conditional version 
of Theorems 1, 2 and 3. 

Corollary 6. Given a prime power q and arbitrary positive integers n and 
TO < |, there exists a primitive polynomial x" + + • • • + a„ G Fg[x] with 

the first to coefficients oi, . . . , am prescribed in advance whenever 

gt-'">TOW(g”-l). (3.7) 

4 Primitive Binary Polynomials 

We now suppose g = 2 and to = . Then (3.7) certainly holds whenever 

2^-“>^, w:=u;(2”-l). (4.1) 

Of course, a slightly weaker condition suffices when n is indivisible by 4. For 
larger n it is convenient to employ the following numerical fact. 

Lemma 3. Suppose that ut > 25. Then w < f . 

Proof. Let P{r) denote the product of the first r odd primes. Then, by calculation 
(MAPLE), the inequality 

P{r) > 25^ r > 25, (4.2) 

holds for r = 25, the 25-th odd prime being 101. Inequality (4.2) is then evident 
by induction on r, since higher further primes exceed 2^ = 32. 

Granted w > 25, suppose that actually w > |. From (4.2), 

2" _ 1 < - 1 < P{uj) < 2” - 1, 

a contradiction. The result follows. 
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Since the function 2®/^° ~ f is increasing for a; > 60 and positive for x = 
90, it follows from (4.1) that, provided lo < '^ and n > 90, then Theorem 1 
holds for this value of n. Indeed, by Lemma 3, the inequality w < ^ does hold 
whenever w > 25 (so that automatically n > 125). We conclude that Theorem 1 
is established except when w < 24 and n < 5uj < 120. 

In fact, for n < 120, w < 12 with equality when n = 72, 84, 96, 108. With 
this bound for w, it suffices that 2"/"* > 1024n, which holds for n > 65. Similarly, 
for 60 < n < 64, w < 11 and for 49 < n < 59, w < 8 and (4.1) holds in these 
ranges. But the inequality is false for values of n such as 48 (w = 9), 40 (w = 7) 
and 36 (w = 8). 

To deal with most smaller values of n, we apply a sieving technique (effective 
for all prime power values of q) which yields a criterion which, when s = 1, 
reduces to Corollary 6. 

Lemma 4. Given a prime power q and arbitrary positive integers n, write the 
product of the distinct primes mg” — ! as Ipi . . .ps, for some divisor I and 
distinct primes pi, . . . ,ps- For any m < ^, there exists a primitive polynomial 
x" + aix^~^ H — • + a„ G F,j[x] with the first m coefficients oi, . . . , a™ prescribed 
in advance whenever 

+ 2) , (4.3) 



> mW{l) 



s — 1 



where 5 := 1 — — . 

^ Pi 

i=i 

Proof. As noted already only the actual primes dividing g" — 1 are significant. 
Observe also that W{lpi) = 2W{1) and 0{lpi) = 0{1){1 — ^), i = 1, . . . , s. With 
the notation of Proposition 5, an elementary sieving argument (see [3]) yields 



N{q- - 1) > (^E - 1)^(0 

> e{l)q^ 1 6{q^-^-m 



Since 



N{lp,) - (1 - ^) ^(0 



W(0)-E^(i-^) 1P(Z)|, 



< 6{l)mq'i {W{lpi) - W{1)), 



by the argument of Proposition 5 applied to terms involving characters of order 
dpi, where d\l. Because W{lpi) = 2W{1), the result follows. 



In the binary case, for n < 48, we attempt to apply Lemma 4 with g = 
2, m = and (usually) I = 3. Table 1 shows that the condition is satisfied 
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for a sample of (the most delicate) values of n > 21 (where the displayed dec- 
imals have been truncated). Here (and later) we use A to denote the quantity 

W{1) appearing in the right side of (4.3) for the appropriate values 

of the parameters. 

The conclusion from such working is that for 21 < n < 48, only the value 
n = 24 fails the condition of Lemma 4 with I = 3. Here m = 6, pi . . .ps = 
5 • 7 • 13 • 17 • 241, S = .5172 and the left and right sides of the condition are 64 
and 116.7, respectively. There are similar failures for n = 18 and 16. The result 
holds easily by Corollary 6 for n = 19, 17 since 2" — 1 is a Mersenne prime. Recall 
from Section 1, that we can assume n > 16. 



n 


m 


1 


Pi ■■■Ps 


,5 


A 




48 


12 


3 


5- 7- 13- 17 


• 97 • 241 • 257 • 673 


.5015 


382.9 


4096 


40 


10 


3 


5 • 11 • 17 


• 31 -41 • 61681 


.5936 


208.4 


1024 


36 


9 


3 


5-7- 13- 


19 • 37 • 73 • 109 


.4776 


263.7 


512 


30 


7 


3 


7- 11 • 


31 • 151-331 


.7243 


105.8 


256 


28 


7 


3 


5 • 29 • 


43 • 113 • 127 


.7255 


112.8 


128 


25 


6 


1 


31 • 


601 • 1801 


.9655 


24.5 


90.5 


22 


5 


3 


23 


• 89 • 683 


.9438 


41.1 


64 


21 


5 


1 


7- 


127 • 337 


.8463 


21.8 


45.2 



Table 1: Sieving table for g = 2 

The final step in the binary case was to use MAPLE 6 to print out 64 primitive 
binary polynomials of degree 24 with each possible choice of its first 6 coefficients. 
For n = 20, 32 primitive polynomials with all choices of the first 5 coefficients, 
and for n = 18 or 16, 16 polynomials with all choices of the first 4 coefficients were 
similarly obtained. To summarise the outcome we shall, in this paper, use the 
term “weight r” to describe a polynomial with (at most) r non-zero coefficients 
amongst those of (non-specified, non-constant) monomials , 1 < i < n — m. 
Here, in every case it sufficed to look at weight 2 polynomials. This completes 
the proof of Theorem 1. 



5 Primitive Ternary Polynomials 

We next suppose q = 3 and m = . Then (3.7) certainly holds whenever 

n 71 

3 6/2“ > w:=u;(3”-l). (5.1) 

o 

Of course, a slightly weaker condition suffices when n is indivisible by 3. The 
following lemma is the counterpart of are Lemma 3. 

Lemma 5. Suppose that co > 65. Then co < 
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Proof. This proceeds as for Lemma 3, but based (instead of on (4.2)) on the 
inequality 

P(r) > r > 65, 

where now P{r) denotes the product of the first r primes (yf 3). Note that the 
65-th such prime is 317, which exceeds 3^'^^. 



By (5.1) and Lemma 5, Theorem 2 holds unless w < 64 and n < 4.17w < 
267 provided 3"/6/2"/4 i7 > This last inequality holds for all n > 266. In 
summary, we may suppose n < 266. 

For 72 < n < 266, it is not necessary to find the complete factorisation of 
3" — 1. For MAPLE has an “easy” factorisation option which quickly finds all 
prime factors < 10® (and many larger prime factors). From this it follows that, 
in place of Lemma 5, we have the stronger fact that uj < ^ for 48 < n < 266. 
Since 3”/Sy'2"/® > ^ for n > 72, we conclude that Theorem 2 holds any value of 
n > 72. 

For most values of n in the range 14 < n < 71, application of Lemma 4 
(using I = 2) is successful, as indicated in the Table 2 which features a selection 
of values in the range (including all the most delicate cases). 



n 


m 


Pi ■ ■ -Ps 


6 


A 




48 


16 


5 • 7 • 13 • 17 • 41 • 73 • 97 • 577 • 769 • 6481 


.4628 


752.7 


6561 


36 


12 


5 • 7 • 13 • 19 • 37 • 73 • 757 • 530713 


.4855 


396.0 


729 


30 


10 


5- 7- 11- 13- 31- 37- 61 -271 -4561 


.6367 


228.4 


243 


27 


9 


13 • 109 • 151 • 433 • 757 • 8209 


.9101 


115.1 


140.2 


25 


8 


11 • 29 • 8951 • 391151 


.9089 


67.2 


140.2 


22 


7 


23 • 67 • 661 • 3851 


.9398 


72.6 


81 


20 


6 


5 • 11 • 61 • 1181 


.6918 


76.0 


81 


19 


6 


1597 • 363889 


.9993 


36.0 


46.7 


17 


5 


1871 • 34511 


.9943 


30.0 


46.7 


14 


4 


547 • 1093 


.9972 


24.0 


27 



Table 2: Sieving table for g = 3 



Since we may take n > 12, the only values of n not covered so far are those 
in the set S := {24, 21, 18, 16, 15, 13, 12}. MAPLE 6 was used to find relevant 
primitive polynomials for each n G S and each choice of first coefficients. In 
every case a weight 2 primitive polynomial sufficed, except that, when n = 12, 
one weight 4 polynomial (x^^ -I- — x — 1) was needed. This 

completes the proof of Theorem 2. 
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6 Primitive Polynomials over F4 

Now we consider the first case of Theorem 3 and take q = A and m = . 

Then (3.7) certainly holds whenever 

u;:=u;(4”-l). (6.1) 

o 

Of course, a slightly weaker condition suffices when n is indivisible by 3. The 
following lemma now tales the place of Lemma 3. 

Lemma 6. Suppose that co > 63. Then oj < 3^. 

Proof. This time use the numerical inequality 

P{r) > P-29’-, r > 63, 

where here P{r) denotes the product of the first r odd primes. Note that the 
63-rd such prime is 311, which exceeds p-99 

By (6.1) and Lemma 6, Theorem 3 holds with q = 4, w < 62 and n < 

n n 71 

3.29w < 204 provided 2^“5^ > — . This last inequality holds for all n > 208. 

o 

In summary, we may suppose n < 207. 

Using maple’s “easy” factorisation option, we find that, in place of Lemma 
6, we have the stronger fact that u> < j for 48 < n < 207. Since ^ for 

n > 48, we conclude that Theorem 2 holds for any value of n > 49. Again, for 
most values of n in the range 13 < n < 48, application of Lemma 4 (using I = 3) 
is successful. Table 3 features a selection of values in the range (including all the 
most delicate cases) for which success occurs. 



n 


m 


Pi ■ ■ -Ps 


S 


A 




36 


12 


5 • 7 • 13 • 17 • 19 • 37 • 73 • 109 • 241 • 433 • 38737 


.4123 


692.9 


4096 


0 

CO 


10 


5 • 7 • 11 • 13 • 31 • 41 • 61 • 151 • 331 • 1321 


.4058 


483.4 


1024 


24 


8 


5 • 7 • 13 • 17 • 97 • 241 • 257 • 673 


.5015 


255.3 


256 


20 


6 


5 • 11 • 17- 31 -41 • 61681 


.5936 


125.0 


256 


16 


5 


5 • 17 • 257 • 65537 


.7372 


60.6 


64 


14 


4 


5 • 29 -43 • 113 • 127 


.7255 


60.1 


64 



Table 3: Sieving table for g = 4 



In Table 3, observe that inequality (4) is just satisfied when n = 24. From 
Section 1, there remain the values n = 18, 15, 12 and 6 to verify directly. Because 
the base field F4 is non-prime we adopted a different strategy in using MAPLE. 
We selected a primitive element 7 of F4n = F22« by specifying it as a root 
of a fixed primitive polynomial of degree 2n over F^. Then, we took powers 
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7 *C > 1 ) (*j4" — 1 ) = 1 with i odd, and calculated the m-tuple of elements in 
F 4 comprising the first m symmetric functions of the conjugates of 7 * over F 4 
(effectively, the first m coefficients of the minimal polynomial of 7 *). Every time 
we found such an m-tuple we also calculated the conjugate m-tuple over F 4 , 
since this is associated with the conjugate primitive polynomial, having 7 ^* as a 
root. This process ceased once a primitive polynomial associated with each of the 
4™ choices of first m coefficients (and their conjugates) had been identified. The 
(odd) value of i reached by this stage is denoted by im- The results are displayed 
in Table 4. In particular, the computation for the case in which n = 18, m = 6 
took several days to complete and and was the longest undertaken. 



71 


m 


4 m 


Mx) 




6 


T 


16 


X^2 + X+1 


163 


12 


T 


256 


+ X + l 


4601 


15 


T 


1024 


^.SU _|_ 2 -b _|_ J.4 ^ 2 ^ 


13201 


18 


6 


4096 


-h 1 


88147 



Table 4: Values of im for <7 = 4. 



7 Primitive Polynomials over F 5 

Next we take q = 5 and continue to denote by m. Certainly, holds whenever 

n 71 

5e/2“>-, u;:=u;(5"-l). (7.1) 

The following lemma is now relevant. 

Lemma 7. Now let P{r) denote the product of the first r primes (excluding 5). 
Then 

P{r) > r > 63. 



Lemma 8 . Suppose that w > 63. Then oj < 7^8 ■ 

Proof. This time use the numerical inequality 

P(r) > 52 * 28 ’', r > 63. 

where here P{r) denotes the product of the first r primes (yf 5). Note that the 
63-rd such prime is 311, which exceeds 52 *^®. 

By (7.1) and Lemma 8, Theorem 3 with q = 5, lo < 62 and n < 2.828lo < 176 

n n Tl 

provided, 2 3 “ 3 ^ > — . This last inequality holds for all n > 176. In summary, 
o 

we may suppose n < 175. 





Primitive Polynomials over Small Fields 211 

By maple’s “easy” factorisation option, we find that, in place of Lemma 
8, we have the stronger fact that w < ^ for 36 < n < 175 (with equality when 

n = 42). Since 5 V 12 / 2 W 7 > forn > 36, we conclude that Theorem 2 holds 

3 

for any value of n > 36. Again, for most values of n in the range 13 < n < 35, 
application of Lemma 4 (using I = 2) is successful. Table 5 features a selection 
of values in the range (including all the most delicate cases) for which success 
occurs. 



n 


m 


Pi ■ ■ -Ps 


<5 


Z\ 




0 

CO 


10 


3 • 7 • 11 • 31 • 61 • 71 • 181 • 521 • 1741 • 7621 


.3620 


537.2 


3125 


24 


8 


3 • 7 • 13 • 31 • 313 • 601 • 390001 


.4097 


266.2 


625 


20 


6 


3 -11 -13 -41 -71 -521 -9161 


.4583 


181.0 


625 


16 


5 


3 -13 -17 -313 -114897 


.5276 


95.8 


125 


14 


4 


3 • 29 • 449 • 19531 • 127 


.6299 


54.1 


125 



Table 5: Sieving table for g = 5 



Indeed, the only values of n > 12 (as we may assume) not covered so far are 
those in S := {18, 15, 12}. Finally, MAPLE was used to find relevant weight 2 
primitive polynomials for each n G S and each choice of first coefficients as 
in Section 5. 



8 Primitive Polynomials over Larger Fields 

From now on, assume <7 > 7. As will be evident from the preceding sections, the 
most delicate cases occur when n is small (for example, n = 12 ). As remarked 
already, the difficulties for larger n are largely organisational in character. As 
noted in Section 1, we can assume n > 12 (except when ( 7 (> 4) is even, in which 
case we should also check n = 6 and 7). 

We start by showing that Corollary 6 applies when oj := ui{q^ — 1) is suffi- 
ciently large. In practice, this means lv > 1547. 

Lemma 9. Suppose that the positive integer M is such thatuj{M) > 1547. Then 

2oj(m) ^ a _ 

TT 2 

Proof. The 1547-th prime is 12983. By calculation, the product P := JUTz 

i<12983 ^ 

(over all primes I < 12983) is less than 0.91. Since 12983^/^^ > 2.2 > 2, it is 
evident that 

2^cu{M) 2 

Afi/12 - n 71/12 ^ ^ 

l\ M 



and the lemma follows. 
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To apply Lemma 9, suppose that oj := w(g” — 1) > 1547. Then (3.7) is satisfied 



whenever By considering its logarithm, the function — %- 



IS 



increasing for x > 12 and positive for x = 12 (indeed positive for x = 6) 
provided q > 4. So Theorem 3 holds in this circumstance. 



We can therefore assume uj < 1546 (and n < 12 • 1546 = 18552). To reduce 
rapidly the range of possible values for w, temporarily set wi = 1546. Apply the 
sieving inequality as follows. Let I be the product of the smallest r (distinct) 
primes in q" — 1, where, in the first instance, r is taken to have the value 10. 
(This means of course that it is assumed that r < uj < wi.) Thus, in the 
notation of Lemma 4, s = iv — r < Sq = Wi — r (initially Sq = 1536) and 



Wi 

S>6o-.= l- Y. 



1 

k’ 



where U is the i-th prime. In particular, with the specific 



values above So = 0.02267 (truncating). Set Z\q := 2’’ 
clearly (4.3) is satisfied whenever 






q > 




( 8 . 1 ) 



Again by differentiation, it is evident that — — Aq is increasing for n > 

3 



12 {q> 2). Therefore, set qo := 2-y/3() (i.e., the right side of (8.1) when n = 12). 
Indeed, with the initial values shown we have qo = 16653.6. We conclude that 
(4.3) holds (under the above conditions) whenever q > qo and we may henceforth 
assume that q < [goj • Now suppose that, for an appropriate choice of W 2 (where, 
in the first instance, we select W 2 = 120), we have W 2 < uj < w\. Then, with 
P{j) denoting the product of the first j primes we have 



'logPiwiY 


> 


TogP(wi)' 


logq 




logLgoJ 



As the final act of this first round evaluate q* , defined as the right side of (8.1) 
when n = no- Indeed, q* = 6.836. It follows that (4.3) holds (and so Theorem 3 
is valid) whenever q > q* and ui >W 2 - In particular, the above figures establish 
Theorem 3 whenever lo > W 2 = 120. 



Wi 


r 


^0 


^0 


Qo 


<?i 


W2 


no 


q 


1546 


10 


1536 


.02267 


16653.6 




120 


66 


6.836 


119 


5 


114 


.12910 


335.1 




53 


40 


6.854 


52 


4 


48 


.20068 


122.9 




40 


33 


6.914 


39 


3 


36 


.12170 


96.2 


89 


26 


20 


18.05 


39 


3 


36 


.12170 




17 


26 


32 


6.66 


25 


3 


22 


.23051 


54.5 


53 


20 


16 


22.36 


25 


3 


22 


.23051 




19 


20 


21 


11.53 


25 


3 


22 


.23051 




11 


20 


26 


7.57 


25 


3 


22 


.23051 




7 


20 


32 


5.38 


19 


2 


17 


.10455 


49.8 











Table 6: Sieving table for large q 
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The outcome of Table 6 is that Theorem 3 is established, except possibly for 
q one of the 19 prime powers with 7 < g < 49 and a; < 19. Indeed, at this last 
stage (with r = 2), by amending 5o to take into account the fact that g” — 1 is 
indivisible by the characteristic p, we can assume that w < 15 and q < 31. Even 
then, if we take n > 22 when q = l and n > 18 (instead of the calculated value of 
no), we can guarantee that (4.3) holds. For the pairs, {q,n), 7 < q < 31, n < 21 
or 17 that remain, by obtaining the factorisation of g" — 1, we find that most 
satisfy either the basic criterion (6) or the sieve inequality (4.3) with I = 2 or 
3, according as q is odd or even, respectively. For example,the latter is satisfied 
when g = 8 and n = 6. The pairs (g,n), n > 12 (allowing also n = 6 when 
g is even) that survive to be checked directly are thereby found to be (g, 12) 
for 7 < g < 13. Here, for the prime values g = 7, 11, 13, for each choice of 
first 4 coefficients (28561 choices in the final case), we hunted successfully (as 
in Sections 4, 5 and 7) until a primitive polynomial of degree 12 was found 
with weight 2 (for g = 7) and weight 1 for g = 11 and 13 (except for a single 
weight 2 case — 4a;^° — 5x® + x'^ + 2x + 2 when g = 11). For g = 9, we 

took powers 7% {i, 9^^ — 1) = 1 with i odd, of a primitive element 7 of F324 
(a root of + x^^ + x^ — 1), until all 4-tuples of first 4 coefficients and their 
conjugates had been accounted for (as in Section 6). In similar notation to that 
used there, we obtained im = 136103. Finally, for g = 8, the same primitive 
element of F224 was used as in Section 6. On this occasion, every time a new 
4-tuple of first coefficients is obtained, two further conjugates are also accounted 
for. In this way, we obtained im = 91901. Interestingly, some 4-tuples in F2 are 
the last to emerge in the search, namely (0, 1, 0, 0) (i = 56423); (1, 1, 1, 0) {i = 
61267); (1,0, 1,1) (i = 75151); (0,0, 0,1) (i = 91901). This completes the proof 
of Theorem 3. 
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Abstract. The design of large classes of highly nonlinear resilient vecto- 
rial functions (mappings from FJ into F™, also called S-boxes) is needed 
for iterated block ciphers and for pseudo-random generators with mul- 
tiple output. In this paper, we recall the diverse known constructions 
of such S-boxes, and we show that those which provide good candidate 
functions are, in fact, all in the same class. This class corresponds to a 
generalization of a well known construction due to Maiorana and Mac- 
Farland. We study in detail this construction and we specify it to obtain 
good S-boxes. In a second part, we generalize to S-boxes the notion of 
covering sequence. We show that this generalization has the same prop- 
erties as for Boolean functions, and that it has nice additional properties 
of stability. We study how this notion can be used to design attacks, and 
we explain why some functions, including the elements of the new class, 
cannot be involved in the construction of iterated block ciphers. 



1 Introduction 

Cryptographic encryption schemes are divided into two main classes: blocks ci- 
phers and stream ciphers. Block ciphers, as DES or AES, are the compositions 
of several rounds. Each round involves vectorial functions from the binary vector 
space F 2 into the vector space F™, also called S'-boxes or (n, m)-functions (the 
parameters n and m of (n, m)-functions used in block ciphers are often chosen 
to be equal). To protect these cryptosystems from attacks (such as linear [31] 
or differential attacks [2]) these (n, m)-functions must have, in general, a high 
algebraic degree and a high nonlinearity. 

Pseudo-random generators in stream ciphers involve a Boolean function to com- 
bine the outputs of several linear feedback shift registers or to filter the contents 
of a single one. To speed up the encryption and decryption of these stream ci- 
phers, one can try to replace respectively the Boolean combining - or filtering - 
function by a vectorial one. To prevent some kind of attacks called fast correla- 
tion attacks against stream ciphers, the functions involved, Boolean or vectorial, 
must have a high algebraic degree and a high nonlinearity. Moreover, in the par- 
ticular case of stream ciphers with combining generator, they must also satisfy 
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another property called high resiliency. In addition to fast correlation attacks, 
algebraic attacks, based on the low degree approximation/decomposition, have 
been introduced (see [15,21]) against all these systems involving either Boolean 
or vectorial functions as cryptographic primitives. Among the classical criteria 
(algebraic degree, nonlinearity and resiliency) only the degree seems related to 
the resistance of a cryptosystem against algebraic attacks; and it is still neces- 
sary to define all new relevant criteria. 

The construction of highly nonlinear balanced vectorial functions (resp., the 
construction of highly nonlinear resilient vectorial functions) is needed to de- 
sign secure block ciphers or stream ciphers with filtering multi-output generator 
(resp. secure stream ciphers with combination multi-output generator). More- 
over, the class of functions constructed for any given nonlinearity and any given 
resiliency order, must be sufficiently large to allow cryptographers to choose 
functions satisfying additional criteria more specific to the implementation. 

We will show that all known constructions of highly nonlinear (n, m)-functions 
(resilient or not) can be obtained as special cases of a single general construc- 
tion. This construction is a generalization to the vectorial case of the Maiorana- 
MacFarland construction. We recall the known facts about this construction, 
giving a general construction including all the previous constructions introduced 
in [23, 25, 29, 34]. We show that, for m > n/2, this construction does not allow to 
design directly resilient highly nonlinear (n, m)-functions, and we give a way to 
use vectorial Maiorana-MacFarland functions to design, by concatenation, such 
(n, m)-functions with parameters satisfying m > nj2. This is the only known 
primary construction of a large set of resilient highly nonlinear (n, m)-functions 
with TO > n/2. 

In a second part, we generalize to vectorial functions the notion of covering 
sequences introduced in [11] and we explain how some covering sequences could 
be used to attack iterated block ciphers. We show that Maiorana-MacFarland 
functions extended by concatenation admit covering sequences which can be used 
to attack iterated block ciphers involving them in the round functions, when the 
round key is introduced by addition (which is the most usual way of introducing 
it). 



2 Notation and Preliminaries 

We will have to distinguish in the whole paper between the additions of integers 
in K, denoted by -I- and and the additions mod 2, denoted by 0 and 0-. 
For simplicity and because there will be no ambiguity, we will denote by 0 the 
addition of vectors of F 2 (words) and of elements of fields F 2 « with n > 1. 

We call (n, TO.)-function any mapping F from F 2 into F™. If to equals 1, then 
the function is called Boolean and we will denote by Bn the set of all Boolean 




Vectorial Functions and Covering Sequences 217 



functions defined on F 2 . 

Denoting the all-zero vector by 0, we call support of F and we denote by Supp F 
the set {a; G F 2 /F (x) yf 0}. Let denote the cardinality of any set F. An 
(n, m)-function F is said to be balanced if every element of y G F™ admits the 
same number 2”“’” of pre-images by F, that is #{x G F^; F(x) = y} = 2"“’”. 

To every (n, m)-function F, we associate the m-tuple (/i,-’’ j fm) of Boolean 
functions on FS, called the coordinate functions of F, such that we have F(x) = 

Every (n, m)-function F admits a unique representation as a polynomial over 
F™ in n binary variables of the form: 

F {xi,- ■ ■ ,Xn) = ^ a/ G F™. 

7C{1, •••,«} iei 

This representation is called the algebraic normal form (A.N.F.) of F. We will 
call (algebraic) degree of F and denote by deg F the degree of its A.N.F. It equals 
the maximum algebraic degree of its coordinate functions or more generally of 
the linear combinations of its coordinate functions. But a low minimum degree 
of the nonzero linear combinations of the coordinate functions of F can be used 
to cryptanalyse a system. So we also define a second notion of degree which will 
be called minimum degree, defined by 

deg„(F) = nun deg (u • F) . 

1?GF2 

To make easier the study of the properties of F, we classically introduce the 
sign function xf of F defined as xf{x, v) = (— (if F is Boolean, the sign 
function is defined by xf{x) = (— 



For any numerical function (p onVf, the discrete Fourier transform of p, denoted 
by (p, is a bijective transformation defined by <p{u) = ‘P(x){—1)'^'^, u G 

F 2 . It satisfies the following relation 

(^ = 2 >. ( 1 ) 

The Fourier transform of the sign function of a Boolean function / (that we will 
call Walsh transform of /) is the integer valued function xf, defined on F 2 by 
the formula: 

Xf(u) = Y, ^ (_i)/(De-- _ (2) 

More generally, if F is an (n, m)-function, then its Walsh transform, xp, is 
defined on F 2 x F™ by the formula: 



XF {u,v) 



Xvf{u) = V (-1) 



E 



'■F{x)-\-u-x 



(3) 
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Every numerical function tp satisfies Parseval’s relation 

^ p\u)=2- Y. p\u), (4) 

and in the case of the Walsh transform of an (n, m)-function F, this relation 

becomes: 

^ ^2(u,u) = 22". (5) 

We recall now the definition of the convolutional product between two numerical 
functions ip and ip on ¥ 2 - It is denoted hy p ^ ip and defined on F 2 by: 

{p Ip) (x) = Y ‘p i°') ^ ■ ( 6 ) 

aeFJ 

A well-known fact is that the Fourier transform oi p ip equals the product of 
p and Ip, that is: 

p®ip = pxip. (7) 

Another useful tool for studying a function F is the notion of derivative. The 
derivative of F with respect to a vector a G F 2 is the (n, m)-function FaF : x 
F{x) + F{x + a). The derivatives play an important role in cryptography, related 
to the differential attack [2]. 

The nonlinearity of a function F is one of the parameters which quantify, from 
the viewpoint of the Hamming distance, the level of confusion put in the system 
by the function (another such parameter is the degree). The nonlinearity of a 
vectorial function F is defined as the minimum Hamming distance between the 
nonzero linear combinations of the coordinate functions of F and the set of all 
affine functions. Cryptographic functions used in stream or block ciphers must 
have high nonlinearities to prevent these systems from linear attacks (see [1, 6, 
16,22,31,33]). 

For every (n, m)-function F, the nonlinearity Np and the Walsh transform yfp 
satisfy the relation: 



Np = 2 ”-^ 



1 

- max 

2 UGF 2 



\Xf {u,v) \. 



(8) 



Because of Parseval’s relation (5), Np is upper bounded by 2”“^ — 2"/^“^ for 
every (n, m)-function F. If n is even and m < then this bound is tight 
(see [34]). The functions achieving it are called bent. Chabaud and Vaude- 
nay proved in [12] that the nonlinearity Np is also upper bounded by 2"“^ — 

l-y3x2" — 2 — 2 *-^ This bound equals 2”“^ — if and only 

if m = n — 1 and it is better than 2”“^ — 2"/^“^ if and only if m > n. If 
m = n (the only case of tightness), then Chabaud Vaudenay’s bound implies 
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that the maximum possible nonlinearity of any (n, n)-function is upper bounded 
by 2"“^ — 2 “ 2 “ . The functions achieving this nonlinearity are called almost bent 
and exist only when n is odd. In the other cases (when m = n and n is even 
or when m < n < 2m), the maximum values achieved by the nonlinearity are 
unknown. 

We note that (n, m)-functions are used in fault-tolerant distributed computing, 
quantum cryptography key distribution and random sequence generation for 
stream cipherss. To resist divide-and-conquer attacks, these functions have to 
be balanced and to stay balanced if any t of the inputs are fixed (where t is 
an integer as large as possible). This property is called t-resiliency, and we call 
resiliency order of a balanced function the maximum value of such t. Resiliency 
can be characterized by means of the Fourier transform : 

Proposition 1. [4,4^] {n,m) -function F is t-resilient if and only if its 

Walsh transform satisfies xp(u,v) = 0 for every pair (u,v) G F 2 x F™ such 
that V yf 0 and wh{u) < t, where wr denotes the Hamming weight. 

Remark 1. 

1. A function is balanced if and only if it is 0-resilient, that is: xf{0,v) = 0 for 
any non-zero vector v G F™, 

2. If G is a t-resilient (n, m)-function and P is a permutation on F™, then the 
resiliency order of the (n, m)-function P = P o G is at least t. 

According to Proposition 1, an (n, m)-function P is t-resilient if and only if every 
nonzero linear combination of its coordinates, denoted by u • P where v belongs 
to F™*, is t-resilient. On the other hand, as observed by Camion and Canteaut 
in [4], an (n, m)-function P is t-resilient if and only if for every balanced Boolean 
function g G Bm, the Boolean function g o F is also t-resilient. 

We will call (n, m, t) -function an (n, m)-function which is t-resilient. 

In the sequel we will need the next well known proposition, introduced by 
Rothaus in 1976 (see [37]) to define a simple iterative construction of bent func- 
tions and which has been generalized some years after to design highly nonlinear 
resilient functions. 

Proposition 2. Let G and H be respectively an {r,m,ti)- function and an (n — 
r,m,t 2 ) -function. Then the {n,m) -function F defined by F{x,y) = G{x) -\- H{y) 
is (ti -\-t 2 -\- 1) -resilient and its nonlinearity equals 

2”"^-^ max \xf;{u,v)xfi{u' ,v)\, 

2 (u.u )eF^xF 2 '',vG¥rp 

which is lower bounded by 2”“^ — ^ (2’’ — 2Nc) (2”“’’ — 2Nr). 
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Proof. For every pair {u, u') of F 2 x F 2 '' and for every nonzero vector v of F™, 
we have: 

= ^{u,v)xfi{u' ,v). 

We deduce that xf{{u,u'),v) is nonzero if and only if xq{u,v) and xh{u',v) 
are nonzero: this implies that F is (ti + ^2 + l)-resilient. By applying Equation 
(8), we obtain the nonlinearity of F. 

3 Maiorana-MacFarland Functions 

3.1 Boolean Case 

In [5], Camion, Carlet, Charpin and Sendrier introduce a modification of the 
construction of Maiorana and MacFarland of bent functions (given in [19,32]) 
whose elements, viewed as binary vectors of length 2", are the concatenations of 
affine functions. 

Definition 1. [5] The class Ai„ is the set of Boolean functions f of the form: 

f,l,,h{x,y) = x-(j){y)®h{y) , (9) 

where r and s are any positive integers such that r + s = n, 4> is any function 
from F| into F 2 and h is any Boolean function on F|. 

A function f^ ^ G A4„ is t-resilient if and only if, for every vector m € F 2 of 
Hamming weight lower than or equal to t, either the set (j)~^ (u) is empty or 
the function y G F| h(y) (B u' ■ y is balanced on (u) for every vector 

u' € F| of Hamming weight at most t — wuiu). Indeed, as shown in [5], for every 
u e and every u' G F|, we have 

since every (affine) function x f,p^h{x, y) (B u • x (Bu' • y either is constant or is 
balanced and contributes then for 0 in the sum 

A sufficient condition for f^^h being t-resilient is that every element in <('(F|) 
has Hamming weight strictly greater than t. This condition does not involve the 
function h. Another sufficient condition is that every element in <('(F|) has weight 
at least t and that, if it has weight t, then it admits two inverse images yi and 
IJ 2 by 4>, and that h{yi) = 0, h(y 2 ) = 1- The nonlinearity of a Boolean function 
/x,, :F?xFg Fain equals 2”- 1-2'-^ max | V (_l)My)+« -yi 

(u,u )GFrxFJ 

yG0 i(ii) 

When (j) is injective (resp. takes exactly two times each value of Im (j)), then this 
nonlinearity equals 2"“^ — 2'’“^ (resp. 2”“^ — 2’’). Also, as proved in [9, 39], the 
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nonlinearity of every Boolean function defined as in Equation (9) satisfies 



2-1 _ 2’-! max (#^ '(ti)) < < 



2—1 - 2 ’'"^ 



max#(/> i(u) 



(10) 



If every element in ^(F|) has Hamming weight strictly greater than k is 

then t-resilient with t > k), then Nf^ ^ satisfies also the following relation [9] 



iV/,., < 2"-i - 2^-1 



2^/2 



C) 



( 11 ) 



The functions such that the Hamming weight wni^'iy)) is strictly greater 
than t for every vector y S F 2 can be viewed as the concatenations of f-resilient 
affine Boolean functions. More generally, the concatenation of any t-resilient 
functions produces also t-resilient functions (this property has been used for in- 
stance in [38]). 



3.2 Multiple-Output Case 

The design of resilient vectorial functions by generalizing the construction of 
Maiorana and MacFarland is natural. One can find a first reference of such a 
construction in a paper by Nyberg [34] published in 1991. This technique has 
been used later by Kurosawa et al. [28], Johansson and Pasalic [25], Pasalic 
and Maitra [29] or more recently (presented as a new technique) by Gupta and 
Sarkar [23] to produce functions having high resiliency and high nonlinearity. 
However, a general study of vectorial Maiorana-MacFarland functions has never 
been done. The aim of this section is to recall what can be said about these func- 
tions by simply extending the properties of the Maiorana-MacFarland Boolean 
functions to the multi-output case. As a direct consequence of this study, we 
will show that all the constructions of vectorial Maiorana-MacFarland functions 
presented in the references cited above belong to a unique class. 

The construction of t-resilient linear functions is easy: Stinson [40] considered 
the equivalence between linear resilient functions and what he called large sets 
of orthogonal arrays and the works of Delsarte [17, 18], in which is studied the 
relationship between orthogonal arrays and codes, can then be used to straight- 
forwardly establish the connection between linear t-resilient functions and linear 
codes. The main result of these characterizations is that there exists a linear 
(n, TO, t)-function if and only if there exists a set of 2™ disjoint binary arrays of 
dimensions 2"“™ x n, such that in any t columns of the arrays, every one of the 
2* elements of F| occurs in exaclty 2”“™“* rows and no two rows are identical or 
equivalently if and only if there exists a linear [n, to, t -I- 1] code (i.e. a subspace 
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of F 2 of dimension m whose nonzero elements have Hamming weights greater 
than or equal to t + 1). 

We will focus more particularly in this paper on the definition of resilient linear 
functions from linear codes. Let us first recall that the generator matrix of a 
linear [n, k, d\ code C is the matrix G such that every element x of C can be 
written in the form u x G, where u is a fc-dimensional vector. In [14], Chor et 
al. state the following proposition, which is a direct consequence of the works of 
Delsarte [17, 18] and of the characterization of linear t-resilient functions with 
orthogonal arrays established by Camion et al. [5] for the Boolean case and by 
Stinson [40] for the vectorial one. 

Proposition 3. Let G be a generating matrix for an [n, fc, d] linear code G. 
Define L : 1 -^ ¥2 by the rule L{x) = xx G^, where G^ is the transpose of G. 

Then L is an (n,k,d— l)-function. 

Remark 2. Proposition 3 is still trivially true if L is affine instead of linear, that 
is L{x) = X X G* + a, where a is a vector of F^. 

Notice that the construction of t-resilient functions in Proposition 3 can be gener- 
alized by considering some nonlinear codes of length n (subsets of F 2 ) whose dual 
distance d^ is greater than or equal to t -I- 1 (see [41, 8]). The dual distance of a 
code G of length n is the smallest positive integer i such that the coefficient of the 
monomial in the polynomial + 

is nonzero (when the code is linear, the dual distance is equal to the minimum 
Hamming distance of the dual code). 



Since one has, with Proposition 3, a simple way to design t-resilient vecto- 
rial affine functions, it is natural to generalize the construction of Maiorana- 
MacFarland by concatenating affine vectorial functions as we did for Boolean 
functions. 



Definition 2. The class A4n,m is the set of (n,m) -functions F which can be 
written in the form: 



F{x, y) = X X 



/ (fiii{y) ■■■ <fi m (y)' 
\Trl{y) ■ ■ ■ Trm{y), 



+ i7(y), (x,y) gF^ xF« (12) 



where r and s are two positive integers satisfying r s = n, FI is any {s,m)~ 
function and, for every index i < r and every index j < m, tpij is a Boolean 
function on F| . 



We will call Maiorana-MacFarland’s vectorial function any function which can 
be written as in Equation (12). We recalled above that the concatenation of t- 
resilient functions is still t-resilient. Hence, due to Proposition 3, if the transpose 
matrix of the matrix involved in Relation (12) is the generator matrix of a linear 
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[r, TO, (i] -code for every vector y ranging over F 2 , then the (n, TO-)-function F is 
{d — l)-resilient. 

Any function F belonging to Mn,m can be written in the form: 




where FI = {hi, hm)- 

After denoting, for every t < to, by (f>i the (s, r)-function which admits the 
Boolean functions ipn, tpri for coordinate functions, we can rewrite Retation 
(13) as : 

F{x,y) = {x ■ </)i(j/) 0 hi{y), ...,x- (j)m{y) 0 hm{y)) ■ (14) 

Remark 3. Relation (14) is a simple generalization of the construction of bent 
{n, TO-)-functions from Boolean Maiorana-MacFarland’s functions which has been 
proposed by Nyberg in [34] and restated by Chabaud and Vaudenay in [12]. 

As a direct consequence of Proposition 3 for instance, we have: 

Corollary 1. Let n, to, r and s he three integers such that n = r + s. Let F he 
an (n, m)-function in A4n,m such that, for every y € F^, the family {4>i{y))i<m 
a basis of an m-dimensional suhspace of ¥2 having t + 1 for minimum Hamming 
weight, then F is at least t-resilient. 

Remark 4- Notice that a t-resilient (n, TO-)-function F G Ain,m cannot be de- 
signed applying Corollary 1 when to is strictly larger than r, since in this case, 
it is impossible to design to vectors 4>i{y), 4>m{y) of F 2 which are linearly 

independent . 

According to the facts about the Walsh transform of the Boolean Maiorana- 
MacFarland functions recalled in Section 3.1, the coefficients of the Walsh trans- 
form of the (n, TO)-functions F belonging to A4n,m (where n = r + s) take the 
form 

4^((u,u'),v)=2^ (-l)-^(«)+“ (15) 

where {u,u') is a pair in F 2 x F^, v is an element of F™* and ^ denotes the 
set {y G F®; YZ=i ^iMy) = «}• 

Remark 5. Let /i, ..., fm denote the to coordinate functions of an (r 0 s,m)~ 
function F defined as in Relation (14) {i.e. fi{x,y) = x-4>i{y)(Bhi{y), i = 1,...,to). 
By using the known properties of Boolean Maiorana-MacFarland functions, we 
obtain straightforwardly that F is t-resilient if and only if, for every v G F™* 
and for every pair {u, u') G F 2 x F| of Hamming weight lower than or equal to 
t, one of the two following conditions is satisfied: 



1. the set Eu^v is empty, 
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2. the Boolean function y G ¥2 v ■ H{y) (B u' ■ y is balanced on 

However, because the vector v is involved in these two conditions, this character- 
ization is not easy to use for designing resilient Maiorana MacFarland’s vectorial 
functions. 

Due to Relations (8) and (15), the nonlinearity Np of any function F G A4n,m 
(where n = r -I- s) defined as in Relation (14) satisfies 



JVp = 2”-^ - 2’-! max 

(u,u )eF^xFI,veF^ 



E (-1) 



v-H(y)+u -y 






(16) 



Because of the vector v € F™* involved in Relation (16), the construction of a 
highly nonlinear Maiorana-MacFarland vectorial function is more difficult than 
in the Boolean case. In the next proposition, we give the upper bound and the 
lower bound on the nonlinearity of Maiorana-MacFarland functions, which come 
directly from Relations (10) and (11). 

Proposition 4. Let F be an {n,m) -function defined as in (14). Then, the non- 
linearity Np of F satisfies 



_ 2r-i 

uGF^,vGFrp 



< 2”-i - 2'-^ 



max ffEu 



(17) 



Assume that, for every element y, the space spanned by the vectors 4>i{y), ■■■, 
4>m{y) admits m for dimension and has a minimum Hamming weight strictly 
greater than k (so that F is t-resilient with t>k). Then, we have 



Np < 2”-i - 2’'-! 



2sI2 



(18) 



Proof. By definition of the nonlinearity of F, we have Np equal to min^gjr™ Ny.p. 
Hence, we have Np = Ny^.p for some nonzero Vq- We deduce Np > 2”“^ — 
2’’“^ maxugFj.ueF™ (ffEy^y), according to the lower bound in Relation (10). 

If the inequality Np < 2”“^ — 2’’“^ [Y^maxugF^.jjeF™ #Ey^y ] was not satisfied, 
there would exist a nonzero vector v such that Ny.p < Np, according to the 
upper bound in Relation (10); a contradiction. 

Inequality (18) is a direct consequence of Inequality (11). 

In the following proposition, we specify the functions 4>i in order to obtain func- 
tions whose nonlinearity can be easily computed. 

Proposition 5. Let F be an {n,m) -function defined as in Equation (14)- 
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1. If, for every vector v € F™*, the {s,r) -function y 
tive, then F admits 2”“^ — 2'’“^ for nonlinearity. 

2. If for every vector v € F™*, the (s,r) -function y X)i<m l^kes 
exactly two times each value of the image set (let us say in the sequel that 
such function is two-toonej, then F admits 2”“^ — 2'’ for nonlinearity. 

Proof. If all the functions y e- > X)i<m are injective (resp. take exactly 

two times each value of the image set) when u is a nonzero vector of F™, then 
all the sets as defined in Equation (15) are empty or reduced to a singleton 
(resp. to a pair). We deduce that the maximum achieved by |^| on F 2 x F™* 
equals 2’’ (resp. 2'’+^) and, according to Equation (8), we conclude that Np 
equals 2”"i - (resp. 2”"i - 2’'). 

Remark 6. The injectivity (resp. the two-to-one property) of the (s, r)-functions 
y ^ ^ 0) implies s <r (resp. s < r + 1). 

The aim of the following Lemma, proposed by Johansson and Pasalic, is to give 
a way to specify the vectorial functions (fi, ..., 4>m to ensure that their nonzero 
linear combinations satisfy the first hypothesis of Proposition 5. 

Lemma 1 . [25] Let C he a binary linear [r,m,t+l] code (m < r) and let c\, ..., 
Cm he a basis of C. Let a he a primitive element in the finite field ’¥2-^ and let L\ 
he the linear function from ¥ 2^ into C defined by Li ® = Er=i«*c,. 

Define m — 1 funtions Li, i = 2,...,m, such that for every 0 < A: < 2™ — 2, 
Li{a^) = Li(a^+*“^). Then, for every vector v G F™*, the function z G F2m 
1 ViLi(z) is a bijection from ¥2^ into C. 

Proof. Since ci, ..., Cm is a basis, Li is a bijection. For every vector v G F™ and 
every element z of F 2 m, we have 

m / m 

^ ViLi{z) = Li I (^ z 

i=l \ i=l 

The vector v being nonzero, the element i® nonzero. Hence, the 

function z G F 2 m 1 -^ 'ViLi{z) is a bijection. 

Remark 1. Note that, more generally, if (Ii,. . . ,(im is a basis of F 2 m, and if Lq 
is a linear isomorphism between F 2 ^ and C, then the functions Lj(z) = Lo(Piz), 
i = I, ... ,m, have also the property that, for every vector v G F™*, the function 
z G F 2 m I— > "ViLtiz) is a bijection from F 2 m into C. 

Since we have Li(0) = ^ 2 ( 0 ) = ... = Tm(0) = 0, the functions Li, ..., Lm do not 
satisfy the hypothesis of Corollary 1 (i.e. the vectors Li(z), ...., Lm{z) are not 
linearly independent for every z G F 2 m). A solution to derive a family of vectorial 
functions satisfying the hypothesis of Corollary 1 and one of the two conditions 
of Proposition 5 is then to right-compose the functions Li with a same injective 
- or two-to-one - function tt from F| into F^m. Then, for every nonzero vector 
v G F™*, the function y G F| 1-^ ^*^*[^(2/)] i® injective - or two-to-one - 
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from into C*. 



For any m-tuple Lm) of linear functions from F 2 *»» into an [r,m,t+ 1] 

code defined as in Lemma 1, and for any function tt from F| into F^m, Relation 
(12) can be rewritten 



{x, y) € F 2 X F 2 a; X 



/ ^11 0 7r(y) ••• £lm O Ay)' 



\4l 0 7 t(i/) ••• 



+ H{y), (19) 



where H is any (s, m)-function and £ij denotes the j-th coordinate function of Li. 



As we show in the following proposition (which is a more general presentation of 
the results obtained by Johansson and Pasalic in [25], who considered only the 
case TT injective), the nonlinearity and the resiliency of (n, m)-functions defined 
as in (19) can be easily computed for every function tt from F| into F^m. It can 
be high if tt is injective or two-to-one. 



Proposition 6. Let C be a linear [r,m,t + 1] code and let Li, L^ be m 
functions defined as in Lemma 1 with respect to C. Let s be any integer, let tt 
be any function from F| into F^m and let H be any (s,m) -function. Then, the 
{r s,m)~ function F defined with respect to the functions L\, ..., Lm, tt and H 
as in (19) admits at least t for resiliency order and its nonlinearity satisfies: 



Nf = 2’'+"-^ - 2’-! 



max 



ye-TT i(z) 



(20) 



If TT is injective, then s must be strictly lower than m and Np equals 2'’+® ^ — 



2’’“b 

If TT is two-to-one, then s must be lower than or equal to m and Np equals 

2^+5— 1 



Proof. For every nonzero vector v € F™ and every vector y G F|, the linear 
combination YllLi Vi[LiOTr]{y) belongs to the [r, m, t+ 1] code C and is nonzero, 
since Tr{y) never equals zero. We deduce that the vectors Li[7r(y)], ..., Lm[7r(y)] 
form a basis of C, which implies, according to Corollary 1, that F is at least 
t-resilient. 

On the other hand, let a be a primitive element of F 2 m and let 2 : denote the 
vector 7r(y). For every nonzero vector v G F™ and every vector u G C* the 
equation 

m / m \ 

ViLi{z) = -^1 X! = u 

i=l \i=l / 

admits exactly one solution zq in FJm, since Li is a bijection from F^m into C*. 
Hence, we deduce that = {y G F|; ^*^*['^(2/)] = A equals 7 t“^(2;o) 
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and then, according to Relation (16), we obtain (20). As a direct consequence 
of Proposition 5, we deduce the nonlinearity of F for the case tt injective or 
two-to-one. 

Let F be an (r + s, m)-function defined as in (19) with an injective (resp. two- 
to-one) function tt. Since s must be lower than or equal to r in Proposition 6, 
we deduce that the smaller is the difference r — s = 2r — n>0, the larger is the 
nonlinearity, 2"“^ — 2’’“^ (resp. 2"“^ — 2'’), of F. Hence, if we want to construct 
functions based on Lemma 1 and having the best tradeoff between nonlinearity 
and resiliency, then we have at the same time to maximize the distance t -I- 1 
of the [r, m,t + 1\ code and to minimize the value of r (which is greater than 
or equal to n/2). In what follows we give a first construction of resilient highly 
nonlinear mappings (already described but in more particular ways in [12, 23, 
25,29,34]; Johansson and Pasalic [25] or Maitra and Pasalic [29] only consider 
7T as an injective function, whereas Nyberg [34], as Chabaud and Vaudenay in 
[12], focus on the design of bent functions and Gupta and Sarkar consider only 
one very specific function tt as shown in Proposition 7). 

Construction 1 

Given two integers m and r (m < r), construct an [r, m,t+ l]-code C such that t 
is as large as possible (Brouwer gives in [3] a precise overview of the known codes 
and of the known bounds on the parameters of these codes). Then, define m linear 
functions Li, ..., from F 2 »»» into C as in Lemma 1, or as in the remark which 
follows it. Ghoose an integer s strictly lower than m (resp. lower than or equal 
to m) and define an injective (resp. two-to-one) function tt from F| into F^m. 
Ghoose any (s, m)-function FI and denote r -|- s by n, then the (n, m)-function 
F whose coordinate functions are defined by fi{x, y) = x ■ [Li o tt] (y) 0 hi{y) is 
t-resilient and admits 2"“^ — 2’’“^ (resp. 2"“^ — 2’’) for nonlinearity. 

Remark 8. In Gonstruction 1, the parameters r, m and s must satisfy either the 
relation s < m < r if tt is injective or the relation s < m < r if tt is two-to-one. 
And the smaller is r > n/2, the larger is the nonlinearity. 

Johansson and Pasalic use in [25] a second construction based on Lemma 1 and 
involving a family of nonintersecting codes, that is a family of codes having the 
same parameters (same length, same dimension and same minimum distance) 
and whose pairwise intersection is always reduced to the null vector. In what 
follows, we give a formalization of this construction and we improve it by con- 
sidering not only injective functions but also two-to-one ones. 

Construction 2 

Let (C'j)i<j<^ be a family of N nonintersecting [r,m,t + 1] codes. For every 

code Cj, define a family of linear functions as in Lemma 1. Let 

V J l<i<m 

s be the greatest integer lower than or equal to log 2 (A^ x (2™ — 1)) (resp. to 
log 2 (iV X (2"^ — 1)) 0 1). Let (L^i)i<i<AT be a partition of F| such that < 
2™ — 1, for i = 1,...,A^ (due to the choice of s, such partitions can always be 




228 



Claude Carlet and Emmanuel Prouff 



defined). Define a function tt from F 2 into F^m whose restriction to each Ei, 
i = is injective (resp. two-to-one). Choose any (s, m)-function H and 

let n denote the sum r+s, then the (n, m)-function F whose coordinate functions 
are defined by 



where, for every j < N, Se^ denotes the indicator function of the set Ej (defined 
by ^Ej{y) = I ii y & Ej and SE^iy) = 0 otherwise), is at least t-resilient and 
admits 2”“^ — 2’’“^ (resp. 2"“^ — 2’’) for nonlinearity (the codes have been chosen 
having a pairwise intersection reduced to { 0 } in order to ensure the injectivity 
(resp. the two-to-one property) of the functions y 1 — > ^Ej{y) x oTr]{y), 

i = 1, ..., m). 

In Construction 2, the value s can be larger than or equal to m. Clearly, the 
smaller is the value m and the easier is the definition of a large set of nonin- 
tersecting [r, TO, t -I- 1] codes (Johansson and Pasalic give in [25] a lower bound 
on the cardinality of such a family of codes related to the parameters r, to and 
t). Notice that, when to is close to r and t is high, it is sometimes possible 
to define a unique [r, m,t + 1] code whereas it becomes impossible to define 
more than one nonintersecting code (in these cases. Construction 2 does not im- 
prove Construction 1, since the family of nonintersecting codes is reduced to one 
element). Johansson and Pasalic give in [25] numerical examples of t-resilient 
(n, TO.)-functions defined with Construction 2 for an injective function tt, whose 
nonlinearity is strictly better than the nonlinearity of any (n, TO.)-function de- 
signed as in Construction 1 for the same parameters n and t. However, this 
construction is often worse than Construction 1 for large resiliency orders. In- 
deed, in order to define N nonintersecting [r, to, t-l- 1] codes in F 2 , the parameter 
r must be clearly greater than or equal to IV x to, whereas the parameter t 
satisfies t < m. Hence, the (r + s, TO.)-functions designed should be defined in a 
vector space of cardinality at least 2^* in order to have a resiliency order equal 
to t. Moreover, the difference r — s, that we want to minimize is lower bounded 
hy N X m — log 2 (iV x (2™ — 1)) (resp. N x m — log 2 (iV x (2™ — 1)) — 1), that 
is approximatively by (N — 1) x m — log 2 (IV), and this lower bound increases 
quickly with N (i.e. with the numbers of nonintersecting codes considered). 



f,{x,y) = x- i^5E^{y) X [l[^' o7r](y) 



3.3 Other Constructions of Highly Nonlinear Resilient 

Vectorial Functions, Based on the Same Principle as the 
Maiorana-MacFarland Construction 

Two constructions of highly nonlinear resilient vectorial functions respectively 
based on elliptic curves theory and on the trace of some power functions x ^ x'^ 
on finite fields, have been designed respectively by Cheon [13] and by Nyberg 
[34-36] (see also Khoo, Gong [26]). However, it is still an open problem to design 
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highly nonlinear functions with high algebraic degree and high resiliency order 
with Cheon’s method. On the other hand, the number of functions which can 
be designed by Nyberg and Cheon’s methods are very small and the resiliency 
of the designed functions is difficult to study. 

In fact, there exist actually only two main constructions of a large set of resilient 
highly nonlinear mappings: the Maiorana-MacFarland construction recalled in 
Section 3.2 and a second one proposed by Zhang and Zheng in [43, 44] . Zhang and 
Zheng’s construction consists in the composition of a linear resilient (n, m, t)- 
function with a highly nonlinear permutation on F™ and it is based on the second 
part of Remark 1 . Since it assumes the existence of a previously defined highly 
nonlinear function, it is a secondary construction. 

Construction 3 [44] Let L he a linear surjective {n,m,t) -function and let G be 
an (m, k) -function whose nonlinearity is denoted by Nq. Then the (n, k) -function 
F = G o L is t-resilient, admits for nonlinearity (where Nq denotes 

the nonlinearity of G) and its degree is the same as that ofG. 

Remark 9. In [23], Gupta and Sarkar modified the Zhang, Zheng Construction 
3 to design nonlinear functions with degree d > m. The first construction of 
highly nonlinear (n, m)-functions with algebraic degree strictly greater than m 
was obtained by Cheon in [13] by combining linear codes with inverse linear 
functions on finite field. But Gupta and Sarkar achieved this in an easier way by 
simply dropping some output bits in functions defined as in Construction 3. 

Clearly, the nonlinearity of an (n, m, t)-function F = G o L constructed using 
Construction 3 is maximal if the nonlinearity of G is maximal. Hence, if G is a 
permutation, then due to Chabaud-Vaudenay’s bound recalled in section 2, the 
nonlinearity Np of F is upper bounded by 2”“™(2'"“^ — 2^^ ) = 2”“^ — 2” 
this bound being tight if and only if m is odd and G is almost bent. In [44], tak- 
ing for function G the inverse function x x~^ on the finite Field F 2 m studied 
by Nyberg in [36] , Zhang and Zheng obtained t-resilient functions having a non- 
linearity greater than or equal to 2"“^ — 2"“’”/^ and having m — 1 for algebraic 
degree. 

The linear (n, m)-functions involved in the construction of Zhang and Zheng in- 
troduce a weakness which could be used to attack a system implementing them 
as cryptographic functions (for instance, it has been proved in [10] that their 
unrestricted nonlinearity is null and then, that this kind of functions cannot be 
used as a multi-output combination function in stream ciphers). However, this 
drawback can be avoided by concatenating such functions (obtained through 
Construction 3). Recall indeed that the concatenation of t-resilient functions 
is t-resilient. And a good nonlinearity can be obtained by concatenating func- 
tions with disjoint Walsh supports. We obtain this way a modified Maiorana- 
MacFarland’s construction. 
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All the other primary constructions presented in [25, 28, 29, 35] are based on 
Construction 1. As we show in what follows, the recent construction of (n, m, t)- 
functions defined by Gupta and Sarkar and presented as better than the pre- 
viously known constructions are also obtained as a particular application of 
Construction 1 and is a secondary construction, since it assumes the existence of 
previously defined highly nonlinear functions. Les us recall Gupta and Sarkar’s 
Construction. 

Proposition 7. [23] Let C he an [r,m,t+ V\-linear code and let Li, . . . , Lm he 
m linear functions defined as in Lemma 1 with respect to C and with a primitive 
element a of¥ 2 m. Let s he an integer strictly lower than m and, for any integer 

p, denote r + s + p hy n. Define a function t from F 2 into FJm hy T{y) = 

q, Ei i ^ then, for any {p,m) -function H, the {n,m) -function F whose 

coordinate functions fi are defined hy fi{x,y,y') = x • [Li o r](y) 0 hfiy') is 
t-resilient and admits 2"“^ — 2’’“^(2^ — 2Nh) for nonlinearity. 

In Proposition 7, let tt denote the function defined from F 2 x F 2 into F^m by 
= T{y)- Oil the other hand, let H' be the (s 0 p, m)-function defined by 
H'{y,y') = H{y'). Then, the coordinate functions of the function F defined in 
Proposition 7 can be rewritten fi{x, {y, y')) = x-[LiO 7 r](p, y') 0 h'fiy, y'). Thus, 
the functions defined by Gupta and Sarkar belong to A4n,m and are particular 
cases of Relation (19). The resiliency of the constructed functions is clearly a 
direct consequence of Lemma 1 and one can already notice that Proposition 7 
remains true if one assumes that the function r is any injective or two-to-one 
function (in this case the value s in Proposition 7 can be equal to m) instead of 
the function j/ G F| i « ^0 ^ Applying Equation (20) to F, one obtains 









max 

z ¥2m,v 
(u ,u ) F| fP 



E 

\ye-!r i(z) 



(- 1 ) 



v H {y,y )+iA -y+u 



■y 



For every 2 G ¥ 2 ^, we have x F 2 , if z G r(F|) and t~^(z) = 0 

otherwise. Since r is injective (resp. two-to-one) from F| into F^m, we deduce 
that (y,y )-\-u -y-cu -y can be rewritten 



E (-!)“■" E(-i) 



v-H{y )-i-u -y 



\yer i(z) 



y 



which implies Nf = 2^+^+p~^ -2'^-\2P -2Nh) (resp. Np = 2 ^+^+p~^ -2^{2P - 
2Nh)). 



3.4 Vectorial Maior ana- MacFar land (n, m)-Functions with m > n/2 

Due to Remark 8 the construction of balanced highly nonlinear (n, m)-functions 
inside of A4n,m cannot be easily done using Corollary 1 and Proposition 5 when 
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m is strictly greater than n/2. The construction of Zhang and Zheng does not 
provide full satisfaction as we recalled in Section 3.3, and its modification by 
concatenating such functions extends the value of n and, in practice, makes m 
smaller than n/2. Hence, there is a need for a primary construction of highly 
nonlinear resilient (n, m)-functions such that m > n/2. 

Definition 3. We denote by At* ^ the set of functions F defined from a product 
space F2 = F2 X F| into a space F™ and which can he written in the form 

F{x,y) = {F\x,y),T{y)), (21) 

where F' is an (r + s,p) -function belonging to A4r+s,p (p is an integer strictly 
lower than m) and is defined as in (12), and T is any {s,m — p) -function. 

According to Relation (15), the Walsh transform xf of F satisfies the relation 
Xf{{u,u'),{v,v')) = 2'^ ^ i^_iyH(v)+vny)+u -y ^ (22) 

y&Eu,v 



We deduce the following proposition. 

Proposition 8. Let F be an element o/ ^ defined as in Equation (21). 
Then, the nonlinearity of F is upper bounded by 2'’ Ay. Moreover, if the set Eu,v 
has cardinality lower than or equal to 2 for every nonzero vector G F 2 and 
every vector u G F 2 , and if s > 1, then Np equals 2'^Np. 

Proof. Let n denote the sum r + s. Due to Equation (8), we have 

max \xt{u',v')\ = 2^ — 2Nt 



and 



We have 



Np = 2^ ^ — - max \xf{(u,u'), (v,v'))\. 

2 (u,u )G¥",{v,v I VV ) \ 



max |xf((u,m'))(^: 1''))I > max |xf((m, «')) (0. 

) F^, (n,n ) F^ , 

(v,v ) P 



= 2’’ max \xt{u',v')\ 
u eFJ,?; eF™ ’’ 



and, hence, 



1 



Nf = 2”-^ - - 



max \xf{{u,u'),{v,v'))\ 

< 2”-^ - 2 



2 (u,u )&¥^,(v,v )eF“ 

n— 1 — 1 



max \xt{u',v')\ =2'^Nt. 

eF5,t> eF™ ’’ 



If the set Eu^v has cardinality lower than or equal to 2 for every nonzero vector 
u G F 2 and every vector u G F 2 , then Equation (22) implies that |y>| takes 
its values in the set {0, 2'’, 2’’+^}. Hence, the maximum value of |)xf| under the 
condition u yf 0 is lower than or equal to 2’’ times the maximum value of 
Thus Nf = 2’' At. 
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A direct consequence of Relation (22) is 

Proposition 9. Let F be an element of ^ defined with respect to an 

(r + s , p) -function F' and an {s,m — p,t') -function T as in Equation (21). If 
F' satisfies the hypothesis of Corollary 1 (i.e. the family is a basis 

of a p-dimensional subspace of ¥2 having t + 1 for minimum Hamming weight) 
for some integer t, then the resiliency order of F is greater than or equal to 
min(t, t') . 

Proposition 9 provides a secondary construction, because it uses a function T 
(supposed to be highly resilient and to have high nonlinearity) . Obviously, T can 
be constructed according to the same principle as F. This leads to the following 
construction of (n, n)-functions (it would be also a simple matter to describe a 
construction of (n, m)-functions with obtained by applying recursively 

Proposition 9 with successive values of p equal to n/2, n/4, and so on. 

Construction 4 

Let fc, n and n' be three integers such that n = 2^n' . Let P be a permu- 
tation on F 2 and let Fi, i = 0,1, — 1, be balanced (||, 2 ?^ (-functions 

designed as in Construction 1 (due to Lemma 1 such functions can always be 
defined). Then, the (n, n)-function F = {Fq.Fx, ...,Fk-i,P) is balanced, admits 
2n/2-i-n/4+...-i-n/2 nonlinearity and its minimum algebraic degree deg^ is 

lower bounded by 

min (deg^ (Po ) , deg„ (Pi ) , . . . , deg„ ( Pfc _ 1 ) , deg^ (P) ) 

(which is upper bounded by n'). 



4 Covering Sequences of Vectorial Functions 

4.1 The Boolean Case 

In [11], is introduced the notion of covering sequence of Boolean functions. 

Definition 4. [11] A covering sequence of a function / : FJ 1 — > F 2 is any real- 
valued function ip on F 2 such that the real summation p{a)Daf is equal to 

aeFJ 

a constant function p. The value of p is called the level of this sequence. If p 0, 
then we say that the covering sequence is non-trivial. 

Notice that, for every x G F2 , the sum v{o)Daf{x) equals X)Da/(a:)=i 

and that, if it is constant, then the sum ^Daf{x)=o is also constant. This 
will lead us to a natural generalization to (n, m)-functions. Before that, we re- 
call in the next proposition the complete characterization given in [11] of the 
balancedness of Boolean functions by means of their covering sequences. 
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Proposition 10. [11] Any Boolean function f on is balanced if and only if 
it admits at least one non-trivial covering sequence. The same covering sequence 
- the constant sequence 1 - can he taken for all balanced functions. The level of 
this sequence with respect to any balanced function equals 2"“^. 

The relevance of the notion of covering sequence to the study of Boolean func- 
tions is shown in [11], by characterizing it by means of the Walsh transform 
and by giving complete characterizations of the correlation-immunity and of 
the resiliency of Boolean functions with respect to their covering sequences (see 
generalizations in Theorem 2 and Corollary 2). 



4.2 The Multiple Output Case 

In the following definition, we extend the notion of covering sequence to the case 
of (n, ?n)-functions. 

Definition 5. We call covering sequence of an {n,m) -function F, a pair of 
functions from, respectively, W!f ond F™ into M, such that: 

VxGF”,V6gF™, ^ ip {a) = {b) . (23) 

a^F^; DaF{x)—b 



Remark 10. A covering sequence of an (n, m)-function F satisfies the 

relation 



ffSupp i] < ffSupp if. 

Indeed, let x be an element of F^. For every b in F™, we denote by At,{x) 
the set {a G Supp ip-,DaF{x) = b}. According to Relation (23), if a vector 
b G F™ belongs to Supp if then, for every x G F 2 , the set Ab{x) is nonempty. By 
definition of covering sequences, for every x of F 2 , the family {Ab{x))beSupp is 
a partition of a subset of Supp ip and we conclude that the cardinality of the set 
Supp p is greater than or equal to the cardinality of the set Supp ip. 

The natural generalization of the notion of non-trivial covering sequence will 
appear below. To use the properties of the Walsh transform, we will need the 
following lemma. 

Lemma 2. Let F be an (n,m) -function. A pair of numerical functions p, i] 
from, respectively, F 2 and F™ into K zs o covering sequence of F if and only if, 
for every vector v G F™*, we have 

P<^Xf{.-,v) =^{v)xf{.-,v), (24) 

where Xf{',v) denotes the function x i-^- xf{x,v) = (— . 
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Proof. Relation (23) is equivalent to the fact that the functions 

ip{a) 

oeFJ; DaF{x)=b 

and b 'ip(b) are equal. Since two numerical functions are equal to each other 
if and only if their Fourier transforms are equal to each other, Relation (23) is 
equivalent to: 

Vu G F™*, Vx G F^, ^ (^(a)(-l)’'-^»^(") = ^ 

oeFj 6eFj“ 

that is to, 

Vu G F™*, Va; G F”, Y 
or equivalently, 

Vu G F^"*, (fi 0 Xf{-,v) = ip{v) xf{-, v). 

Remark 11. By summing up Relation (23) with b ranging over F™, we deduce 

m = ko)- 

The following theorem generalizes Proposition 10 and leads to a natural defini- 
tion of non-trivial covering sequence of vectorial functions. 

Theorem 1. An {n,m) -function F is balanced if and only if it admits at least 
one covering sequence satisfying 'f>{v) yf :?(0) for every nonzero vector 

V o/F™. Any balanced {n,m) -function F admits the pair of constant functions 
(1,2”“™) for covering sequence. 

Proof. Assume that {(p, fi) is a covering sequence of F, then Equation (24) is 
satisfied: 

VwGF™*, Va:GF2, [p ® xf{- , v)]{x) = ^{v) xf{x,v). 

Summing up with x ranging over F 2 , that is, computing the values at 0 of the 
Fourier transform of both sides of this functional equality, and using Relation 
(7), we obtain: 

Vv G F™*, ^(0)^(0, v) = i^{v)xF (0, v) , 

that is, (^(0) — ■i/:(u))^(0, u) = 0 for every nonzero vector v G F™. If ip(0) —^^(v) 
is nonzero for every v G F™*, then the function v xf (0,u) is null on F™*, 
which implies that F is balanced (see Remark 1). 

Conversely, if F is balanced, then, for every pair (6, x) G F™ x F 2 , the cardinality 
of the set {a G ¥!f; DaF{x) = b} is constant equaling 2”“™ since the equation 
DaF{x) = b is equivalent to F{x -I- a) = 6 -I- F{x). Let (/? : F 2 1 -^ M and : 
F™ I— > R be respectively the constant function x ^ 1 and the constant function 
y I— > 2"“™, then the pair {ip, xf) is a covering sequence of F satisfying the relation 
xf{v) = 0 ■0(0) = ‘?(0) = 2"“™ for every element v of F™*. 
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Definition 6. A covering sequence of an (n^m) -function F is said to be 

non-trivial if ip{v) never equals ^(0) (that is when v ranges overWff* . 

Thus, according to Theorem 1, an (n, m)-function F is balanced if and only it 
admits a non-trivial covering sequence. 

Remark 12. If ^ is a function from F™ into M+, then we have 'ipiv) yf V'(O) for 
every element v of if and only if the support of if has rank m (i.e. spans 
the whole vector space F™). Indeed, we have 

VugF™*, ^(u)^V^(0)^Vue(F™)% ^ 

&eF™,6e(ti Y 

and, since ip{b) > 0, Vb € F™, this relation is equivalent to saying that the 
support of ■0 is not included in a linear hyperplane of F™. 

To illustrate the fact that, in Theorem 1, the condition that the covering sequence 
is non-trivial is actually necessary, we give in the next proposition an example 
of an unbalanced function having a trivial covering sequence. 

Proposition 11. Let F be a balanced {n,m) -function admitting (</?, 0) for cov- 
ering sequence. Define an {n, m+1) -function F* byF*{x) = (f(a;),0). Let if* be 
real function on F™“''^ such that if*{v\, ...,Vm+i) = if(vi, if {vi, ...,Vm) yf 

0 and 0*(O,1) = ^*(0,0) = if{0). Then F* admits {ip, if*) for trivial covering 
sequence. 

Proof. For every vector x G W!f and every nonzero vector (ui, ..., Um, Wm-i-i) of 
F™+\ we have, after denoting (ui, ...,Vm) by v, 

oeFj 

since the (m -I- l)-th coordinate function of F* is null. The pair {p,if) being 
a covering sequence for F, the convolutional product [p ® xf(’> ' c)](a^) equals 
if{v) xf{x,v) if w yf 0 and equals ^(0) = 0(0) if n = 0. Notice that, if v equals 
0, then Vm+i = 1 since (v,Vm+i) yf 0. If n differs from 0, then we have: 

T'SiXF {■,{v,Vm+l)) = lf{v)xF{-,v) = lf*{v,Vm-\-l)XF {■ , (v , Vm-\-l) . 

Otherwise, if v equals 0 , then we showed that p®XF (•, ( f , 1)) equals 0(0), that 
is 0*(0, 1), by construction of if*. Hence, Equation (24) being satisfied by the 
function xf and the pair {p, if*), we deduce that {p, if*) is a covering sequence 
of F* and, since if*{0, 1) equals 0(0), this covering sequence is trivial. 

As we proved in Theorem 1, the same covering sequence (1,2”“™) can be taken 
for every balanced (n, m)-function. Finding a second covering sequence is a dif- 
ficult problem in the general case. We show in the following proposition that 
the elements of Ain,m which satisfy the hypothesis of Corollary 1, admit several 
covering sequences. 
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Proposition 12. Let F be an {n,m) -function derived from the {s,r)~ functions 
4>i, and the (s,m) -function H as in Equation (14). If the vectors 4>i{y), 

•••; 4>m{y) are linearly independent for every y G F|, then F admits the pair 
(<5f5x{o}j 2’’“’") for covering sequence. 

Proof. For every pair (x,y) G F 2 x F^, the function a 1 — > D/^a Q'^F{x,y) from 
F 2 into F™ admits the Boolean functions a ^ a • 4>i{y) , . . . , a - 4>m{y) for 
coordinate functions. This implies that the function a 1 — > D(^a,o)F{x, y) is a linear 
(r, m)-function and, since the vectors 4>\{y), ...,4>m{y) are assumed to be linearly 
independent for every y G F|, then this linear function is balanced for every 
y G F 2 . Hence, each element b G F™ has the same number, 2’’“’", of pre-images 
by the function a 1 — > 0 )^( 2 ;, y) for any pair (x, y) G F 2 x F| and we conclude 

that 

V(x,y)GF^xF*,V6GF™, ^ <5r.x{o}(a, a') = 2’'-’". 

(a, a ) Fj F| 

-°(a,a )r(x,y) = b 

In the following theorem, we generalize to a vectorial function F the characteriza- 
tion, given in [11], of its covering sequences by means of their Fourier transforms 
and of the Walsh support of F. 

Theorem 2. Let F be an {n^m) -function and let {ip,tp) be any pair of real- 
valued functions respectively defined on F 2 and on F™. Then, F admits 
for covering sequence if and only if, for every pair (u,v) belonging to Supp xf, 
we have (p{u) = f){v). 

Proof. The proof is very similar to the proof of Theorem 1: the pair is a 

covering sequence of F if and only if Relation (24) is satisfied; due to the bijec- 
tivity of the Fourier transform, for every nonzero vector v G F™, the functions 
fj^v) Xf(',v) and (p ® xf{‘,v) are equal if and only if their Fourier transforms 
on F 2 are equal. Thus, according to Relation (7), the pair is a covering 

sequence of F if and only if 

V?;GF™*, VuGF”, (p{u)x^{u,v) = ^{v)x}’(u,v), 

that is, if and only if 

{{u,v) G Supp Xf and w yf 0) = 'f’(v)'j . 

Moreover, if u = 0, then xf(u,0) equals 0 for every nonzero vector m G F2 and 
equals 2" if u = 0. Since (p(0) = if{0), we obtain ((u, 0) G Supp xf) (p{u) = 
•0(0) and we conclude that (</J,'0) is a covering sequence of F if and only if 

y{u,v) G Supp Xf, t{u) = ipiv). 

Corollary 2. Let F be an {n,m) -function admitting for covering se- 

quence. If the sets p{{u G F 2 / wh{u) < t}) and 0(F™*) are disjoint, then F 
is t-resilient. 
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Remark 13. As in [11], a converse of Corollary 2 can be proven. 

As a consequence of Theorem 2, we also deduce a property valid for a large class 
of functions including all balanced functions. 

Corollary 3. Let F he an {n,m) -function and let be a covering sequence 

for F. Assume that the functions (p and ip are, respectively, different from the 
zero function on ¥2 and different from the zero function on F™*, then: 

1. For every vector u G F 2 , there exists v G F™* such that xf{u,v) = 0, 

2. For every vector v G F™, there exists a vector u G¥lf such that xf{u,v) = 0. 

Proof. 1. Suppose that there exists a vector u G ¥2 such that xf{u,v) yf 0, 
Vu G F™*. Then, the set {ulxF™* being included in Supp xf, we have, according 
to Theorem 2, 

Vv G ¥lf'*,if{v) = (p{u). 

Due to the inverse formula, this implies that ‘if(b) equals 0 for every nonzero 
vector 6, which contradicts the hypothesis on f:. 

2. Suppose that there exists a vector v G F™ such that xf(u,v) yf 0, Vm G F^. 
Then, the set F 2 x {u} being included in Supp we have, according to Theorem 
2. 

Vu G F 2 , lp{u) = 'f’{v). 

Due to the inverse formula, this implies that (p(a) equals 0 for every vector 
a G F 2 , which contradicts hypothesis on (p. 

Remark I 4 . We excluded the case u = 0 in the first assumption of Corollary 
3 since this value gives no information about the function F. Indeed, for any 
(n, m)-function F, we have ;^('u, 0) = 0 if m yf 0 and ;^('u, 0) = 2” if u = 0, 
and the first assumption is trivially true for every nonzero vector u if we accept 

u = 0. 

Due to Corollary 3, if an (n, m)-function F admits a covering sequence (tp, if) 
such that if is not the zero function on F™*, then for every vector u G F 2 , there 
exists a nonzero linear combination coordinate functions whose 

sum with the Boolean linear function a; u • x is balanced. This is true in 
particular for any balanced function F, since, if (tp, if) is non-trivial, then if has 
this property. 

4.3 Stability of Covering Sequences 

In this section, we show that one can deduce, in some cases, a covering sequence 
of a function, either defined by composition or by concatenation, from covering 
sequences of the functions involved in the definition of the function. We show 
that this property is particularly relevant for the study of covering sequences of 
the elements of At* and that it implies, for instance, that some permutations 
inside of A4* cannot be used as a round function in an iterated block cipher 
(we will explain why in Section 5). 
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Proposition 13. Let F : W!^ F™ and G : F™ F 2 be two functions ad- 
mitting respectively {ip, ip) and (ip, 9) for covering sequences. Then, {ip, 9) is a 
covering sequence of G o F . 

Proof. For every pair (x,a) G F^ x F 2 , we have, denoting DaF{x) by b: 

Da[G o F]{x) = G{F{x)) + G{F{x + a)) = G(F(x)) + G(F(x) + b) = 

(D,G)(F(x)). 

Thus, for every pair (x, c) G F^ x F§, we have: 

t(^)= 

aeF",Da[GoF](x)=c beF^ ,(DhG)(F(x))=c \aeF" ,DaF(x)=b 

For every pair (x, 6) G F^ x F™, we have X^aeF" DaF(x)=b = ip (b) and thus, 
we get, 

aGFr^,Da[GoF]{x)=c bGF^ ,{Di,G){F(x))=c 

Let y denote F{x), then: 

P{a)= • 

aeF^,Da[GoF]{x)=c beF^ ,DtG(y)=c 




Since {ip, 9) is a covering sequence of G, the sum DbG(y)=c'‘P takes 

constant value 9 (c) for every pair {y, c) G F™ x F 2 and we deduce 

VxGF^, VcGF^, Y, V5(a) = 0(c). 

aGFr^,DaGoF{x)=c 



Remark 15. In particular, if a function F admits two covering sequences {pi, ipi) 
and {p2,4’2) such that ipi = p 2 , then the function F o F admits {pi,ip 2 ) for 
covering sequence. 

One can easily check that the (r+s, m+A:)-function F obtained by concatenating 
the outputs of an (r, m)-function F[ having ( 1 ^, ip) for covering sequence with the 
outputs of an independent (s, fc)-function T having {p' , ip') for covering sequence, 
defined by F{x,y) = {Fl{x),T{y)), admits {p" ,ip") for covering sequence, where 
p"{a,a') = p{a)p'{a') and ip"{b,b') = ip{b)ip'{b'). When the inputs of FI and T 
are not independent, it is generally not easy to deduce a covering sequence of F 
from those of F[ and T. The aim of the following proposition is to introduce a 
condition on the covering sequences of F[ and of T ensuring that the computation 
of a covering sequence of F is feasible. We will see in Corollary 4, that the 
hypothesis of this proposition, which seem to be very strong, are satisfied by the 
elements of Al* 




Vectorial Functions and Covering Sequences 239 



Proposition 14. Let F' he an (r + s,p)-function and let T he an {s,m — p) 
function admitting a covering sequence Assume that there exists (p : 

F2 X F| M and f/i : F2 e- > K such that, for every a' € Supp p' C F|, 
F' admits {ip{- , a') , f:) for covering sequence. Let p>" and if" he the real-valued 
functions respectively defined on F2 x F| and on F2 x F™~^ hy p"{a, a') = 
Lp{a,a')ip' {a') and hy if"{h,b') = if{h)if'{h'). Then, the function F defined hy 
F{x,y) = {F' {x,y),T{y)) admits {p" ,if") for covering sequence. 

Proof. For every pair (x, y) G ¥2 x F 2 and for every element (a, a') € F 2 x F 2 , we 
have D^a,a)F{x,y) = {D(a,a)F' {x,y),DaT{y)). Then, for every pair {x,y) G 
F 2 X F 2 and for every element (6, h') G F 2 x F™~^, we have 



^ ip{a,a')p'{a!) 

{a, a ) F|, 

)F{^,y) = {b,b ) 



^ ip{a,a')Lp'{a!) 

(a, a ) F2 F2 , 

°(a,o F 

T(m) = b 



and the right-hand side can be rewritten 



E 

a F®, 
T{y) = b 



p\a') 



( \ 

E 

a F^, 

\0(a,a " / 



Since, for every a' G Supp ip', F' admits {p{- ,a'),if) for covering sequence, we 
deduce that ^ p{a,a') equals if^h). 

a wr, 

°(a,a (*.«) = '• 

This implies 



E T{aF')T'{a') =if{b) ^ p'ia'). (25) 

(a, a ) F2 F2 , a j 

^(a,a = T{y) = b 

The function T admitting (p',if') for covering sequence, the right-hand side of 
Equation (25) equals if{b)'tf'{b') and the result follows. 

Remark 16. Every {s,m — p) -function T admits clearly ((5 o,<5q) for trivial cov- 
ering sequence. Consequently, if F' admits for non-trivial covering 

sequence, then F admits {p{-, 0),ifx Jq) for non-trivial covering sequence, where 
if X So denotes the function {b,b') 1 -^ if{b) x 6o{b'). 

We argued in Section 3.4 that there is a need for a construction providing a 
large set of balanced highly nonlinear (n, m)-functions with m > n/2 (and more 
particularly of balanced highly nonlinear permutations), and we proposed a nat- 
ural extension, that we called A4* of the Maiorana-MacFarland construction 
to design such a set. In the following corollary, we show that, as a direct conse- 
quence of Proposition 12 and Proposition 14, the elements of Al* „ admit very 
particular covering sequences. 




240 



Claude Carlet and Emmanuel Prouff 



Corollary 4. Let F be an (r + s,m)-function belonging to „ and de- 

fined by F{x,y) = {F' (x,y),T{y)) , where F' belongs to Mr-\-s,p and satisfies 
the hypothesis of Proposition 12, and T is an {s,m — p)- function. Then F ad- 
mits the pair 2'’“^ (5]fPx{o}) fan covering sequence. If p equals r and 

m — p equals s (F is therefore an {r + s, r + s)- function) , then F admits the pair 
x{o}) <^F 5 x{o}) far covering sequence. 

Proof. Trivially, T admits {ip' ,f!') = (i5o,(5o) for covering sequence. According 
to Proposition 12, the function F' e Air+s,p admits the pair (i^F^xto}, 2'’“^) = 
(<5 f5xf^(-, 0), 2’’“^’) for covering sequence. This last covering sequence can be 
rewritten and, hence, due to Proposition 14, F admits the pair of 

functions (^fjx {o},2’' ^Spp x{o}) for covering sequence. 

5 Discriminators and Covering Sequences 

5.1 On the Notion of Discriminator in Last-Round Attacks 

To define an iterated block cipher in a formal way, we consider a family (Tfc)fcgK: 
of (n, n)-functions, indexed by a value k G 1C where 1C is called the round key 
space. The encryption function of the iterated block cipher with block size n, 
with R rounds and with round function is defined by: 

2 ,(d _ for 1 < f < i?, (26) 

where x^^^ is the plaintext and is the ciphertext. 

The vector (ki, . . . , kn) is called the key and its coordinates are the round keys. 
The round keys may be derived from a unique master key which is shorter than 
the concatenation of all the round keys. 

Most known or chosen plaintext attacks on iterated block ciphers (linear at- 
tacks [30], differential attacks [2,7] or interpolations attacks [24] for instance) 
are divide-and-conquer techniques that find one round key after another in as- 
cending order. Because these attacks try to recover the last-round key first, they 
are called last-round attacks. In a last-round attack, one considers the reduced ci- 
pher, i.e., the cipher obtained by removing the final round of the original cipher. 
The reduced cipher corresponds to the function: 

Gr- 1 = G(^ki,...,kR i) = focR (27) 

The key point in a last-round attack is to be able to distinguish the reduced 
cipher from a random permutation for all possible values of the first (i? — 1) 
round keys k\, ... , kn-i. Some information on kn can be recovered by applying 
a discriminator to a subset of all functions Hk defined by Hk = Ffi^ 

where k ranges over the set of all possible values of kn. Notice that, in differential 
and linear attacks, the discriminator is not exactly used as a black box since it 
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is combined with a more subtle approach to recover the last-round key. But it 
is always possible to use a discriminator more or less as a black box, that is, as 
an algorithm saying whether a given candidate key round can be accepted or not. 

If the guessed k matches the actual last-round key kn, then inverts the last 
encryption round and Hk corresponds to the reduced cipher, that is, to G_r_i. 
On the other hand, when fc is a wrong guess, we get: 

Hk = o o Fk^ j o . . . o Ffcj = o Ffcjj o Gr-\ . 

Since it essentially corresponds to the reduced cipher followed by two more en- 
cryption rounds, this function is supposed to act like a random permutation. 
This assumption is called the hypothesis of wrong-key randomization. 

A discriminator of a subset of all the permutations is defined as follows: 

Definition 7. [7] Let Vn denote the set of all permutations of ¥2 and let T he 
a subset of Vn- A discriminator for T with respect to a subset {xq, • ■ • , a^Ar} of 
F 2 is a function 

D : F 2 

{yo,...,yN) 1 -^ D{yo,...,yN) 

for which there exists e > 0 such that [D (/ (xq) ,...,/ (xn)) = 1] ~ 

[D (tt (xo) , • ■ • , (a: at)) = 1] | is greater than s, where tt Vn (resp. 
f Gr T) means that tt (resp. f) is a randomly chosen permutation of¥f (resp. 
randomly chosen in T). 

When the discriminator is involved in a last-round attack, the vectors xq, ..., 
a: AT are the -|- 1 ciphertexts corresponding to iV -|- 1 chosen plaintexts (notice 
that, in the majority of last-round attacks, the plaintexts are supposed to be 
chosen in order to reveal a property of the reduced cipher that can be used to 
define a discriminator). The vectors yo, ... , yN designate the values T)T^(a;o), ..., 
Fjf^{xN), k G K., and the functions f G T denote the functions F^^, where kR 
is an element of a subset of 1C (as small as possible) containing the last-round 
key used to cipher the plaintexts Xi, i = 0 , ..., N. 

Now the existence of a discriminator D for the family of reduced ciphers, 
g={GK,K={ki,...,kR-i)GlC^-^} 

with respect to a set {a;o, ■ . ■ , xn} leads to a last-round attack. The discrimina- 
tor D should satisfy the hypothesis of fixed-key equivalence, i.e., it should return 
the same value for almost all reduced ciphers in Q. 

In 1987, Evertse [20] introduces the notion of linear structure of vectorial func- 
tions and shows how linear structures can be used to define a discriminator 
in a last-round attack. Many attacks have been designed by generalizing the 
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notion of linear structure. In particular, Canteaut and Videau [7] used a dis- 
criminator based on the notion of higher-order differential of vectorial functions, 
introduced by Knudsen (see [27]) as a generalization of the linear structures, 
and they succeeded in efficiently using this discriminator in last-round attacks 
against some iterated block ciphers: suppose that a reduced cipher Gr-i of 
an i?-round iterated block cipher admits a higher-order differential of order 
N' , that is, an A^'-dimensional space E such that, for every x G F^, we have 
DeGr-i{x) = J2eeE Gr-i{x - I - e) = 0 , then a discriminator can be defined by 

D : (F^)^ ^ F2 .28) 

(yo,---,yN) ^ D{yo,...,yN) '' 



where N equals 2^ and where D{yo, . ■ . ,yN) equals 1 if + Vi) = 

X)i=o yi = ^ equals 0 otherwise. 

More generally, one can define a discriminator if there exists a set (not neces- 
sarily a space) V and a vector c such that the reduced cipher Gr-i satisfies 
DvGr-i{x) = Y.vev Gr-i{x + v) = c for every a; G F^ . The pair (V, c) is called 
a higher-order structure. 

The order of a higher-order differential can be proved to be related to the degree 
and to the nonlinearity of the vectorial functions (this is not the case of higher- 
order structures) and it is possible to prove that some reduced ciphers can be 
efficiently attacked using higher-order differentials. The notion of higher-order 
structure has never been used before (except for = 1) to mount an attack on 
a cryptosystem because it is generally impossible to determine whether a given 
reduced cipher admits higher-order structures or not (if it is not a higher-order 
differential) . 

5.2 A Discriminator Using Covering Sequences 

If a reduced cipher G(^ki, -,kR i) defined as in Equation (27) with respect to 
the (n, n)-functions ..., Fk^ ^ admits a same covering sequence {ip, ip) for 
every choice of keys {ki, • • • , kR-i), then one can define a discriminator D in the 
following way: 

D: (F^)^+i ^ F2 

{yo,---,yN) ^ D{yo,...,yN) ^ 

where N denotes the cardinality of the set Supp p = {ai,-- - ,aAr} and D is 
defined by 

D{yo,- ■ ■ ,yN) = ^ G Supp Ip, ^ p{a^)=ip{b). 

1 i N, 

ai Supp if, j/Q + y^=b 

Indeed, let xq, xi, ..., xn be the A-l-1 ciphertexts corresponding to the plaintexts 
X, x-\- Oi, ..., X + On, where x can be any plaintext in F^. Since 
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admits a same covering sequence {ip, ip) for every choice of key {ki, • • • , 
then, for every choice of key (fci, • • • , kn-i), we have 

V6 G Supp Ip, p(ai) = ip(b). (30) 

1 i N, 

In a last-round attack, the vectors yo, •••, Vn in Relation (29) can be respec- 
tively defined as the values of i^^^(a;o), •••, -F^^(xat). Hence, if the guessed 
round key k equals kfi, then _F^^(a:o), Fk^{xi), •••, Fk^i^N) equal respectively 
Gfei, -.feH i(a;), Gk^,-,kR i(x-l-ai), ... , Gk^,- ,kn + qn) and Relation (30) 
can be rewritten as 

V6 G Supp Ip, E p{ai) = ip{b). 

1 i N, 

ai Supp <p, yo + yi=b 

We deduce that if yo, ■■■, yN are respectively defined as the values of Fjp^{xo), 
FPP^{xn) and if the guessed key k equals the round key k^, then D{yo, ■ ■ • , yN) = 

1. 

In many cryptosystems (like in AES or in DES) the round keys are introduced 
by addition and the round functions Fk ^ , 1 < * < R, are defined with respect to 
a unique function F by Fk^{x) = F{x + ki). 

In Theorem 1, we established the relationship between the existence of a covering 
sequence of a function F and the balancedness of this function. Let {Fk)k^K. ^ 
family of R {n, n)-functions and let Gk^, .. ,kn , denote the function Fk^ ^ o • • • o 
Efci . Assume that each function Fk^ admits a same covering sequence (pi, ipi) for 
every choice of round key ki G 1C and that, for every index i < R — 1, we have 
Ipi = Pi+i- Then, according to Proposition 13, the function Gk^,- . ,kn i admits 
the same covering sequence {po, 4’R-i) for any choice of key {k\, ■ • ■ , kji-i, kpP). 

Remark 17. 

1 . In order to be used in a cryptographic design, the (n, ^(-functions Fk^ are nec- 
essarily balanced, therefore they admit at least one covering sequence. Moreover, 
if the round keys are introduced by addition and if there exists one of them, k' , 
such that Fk admits a covering sequence (p, ip), then, for every other round key 
k & 1C, the pair {p,ip) is still a covering sequence of Fk. Indeed, if the round 
key is introduced by addition, then there exists an (n, n)-function F such that 
for every /c G /C C F 2 and for every vector x G F 2 , we have Fk{x) = F{x + k). 
Since Fk admits {(p,ip) for covering sequence, then it satisfies Relation (23) for 
every vector x G F 2 , which implies that F satisfies also Relation (23) for every 
vector X -I- A:' G F 2 , that is, for every vector x G F 2 . We deduce that F, as all 
the functions Fk '. x ^ F{x + k), admits also {p,ip) for covering sequence. 

2. Let F be an (n, n)-function and, for every k G F 2 , denote by Fk the (n, n)- 
function x i-^- F(x + k) (i.e. we assume that the round-key is introduced by addi- 
tion). According to the remark above, if F admits the pairs {p, ip) and (ip, p) for 
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covering sequences, then, for any {R— l)-tuple (fci, ..., the functions 

j admit the pairs and for covering sequences. Hence, for 

any {R— l)-tuple {ki, kn-i), these round functions satisfy the hypothesis of 
Proposition 13 and the function Gki,...,kn i defined as in Equation (27) admits 
{(p, -ip) and (^/>, (fi) for covering sequences. 

In the next corollary, we give examples of functions satisfying the hypothesis of 
the second part of the remark above. 

Corollary 5. Let F be a permutation on F 2 = x F 2 defined by F{x, y) = 
{F'{x,y),P{y)) where F' is an (r + s,r)~ function belonging to M.r+s,r and where 
P is a permutation on F|. If 1C is included in F 2 and if the round functions F^ 
of a R-round iterated block cipher are defined by Fk{x,y) = F{x + k^^\y + 
k^^'>) where k = {k^^\k^^'^) € 1C, then the reduced cipher Gki, - ,kn ^ admits 
(<5f5x{o},<5f5x{o}) for covering sequence. 

Proof. According to Corollary 4, the pair (5 f5x{o}> <^F 5 x{o}) is ^ covering se- 
quence of F. Since the round keys k are introduced by addition (i.e. we have 
F{kir),k(R)){x,y) = F{x + k^F the pair ((5f-x{o}, <5f5x{o}) is a covering 
sequence of all the functions Fk for every choice of round key k = {k^F^j^(R)y 
After applying Proposition 13 to the round functions Fk^, ... , Fk^ j, where 
(fci, ..., is any {R — l)-tuple of 1C, we deduce that the reduced cipher 
Gki,-,kR 1 admits (iJp^xto}, ^Fjxto}) for covering sequence. 

Remark 18. The existence of a discriminator derived from covering sequences 
implies the definition of a new discriminator derived from a higher-order struc- 
ture. Indeed, if an (n, m)-function G admits (ip, ip) for covering sequence, then it 
admits a higher-order structure {V, c) such that V = {a C F^ ; p{a) = 1 mod 2} 
and c = J2bG¥ m (■0(6) mod 2) X 6, since one can always reduce modulo 2 the 
summations in (23) to obtain a higher-order structure. However, since cover- 
ing sequences give more information about the function than the higher-order 
structures defined from them as above, a discriminator using covering sequences 
is more efficient than a discriminator derived from the corresponding higher 
structures. 



5.3 On a Generalization of Covering Sequences of Vectorial 
Functions 

Due to Proposition 18, the discrimination derived from covering sequences does 
not allow us to attack reduced ciphers which could not be attacked by using 
higher-order structures. A solution to design an attack on these functions which 
would work when no higher-order structure exists, would be to search for a 
generalization of covering sequences which still has a good behavior for the com- 
position and the concatenation of vectorial functions. In what follows, we give a 
way to generalize the notion of covering sequence of vectorial functions. 
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Definition 8. Let F be a function from F 2 into F™. We call generalized cov- 
ering sequence of F any pair of functions from, respectively, (F 2 ) and 

Im F X F™, into R such that: 

\fx e F^, V6 e F™, ^ (p, (a) = (6) (31) 

aGF2 ,DaF{x)=b 

where Px{a) and tpF{x){b) denote <P{x,a) and F{F{x),b) , respectively. 

Remark 19. Any injective (n, m)-function F admits the generalized covering se- 
quence where <L> is the constant function {x,a) € F^^ 1 and where 

F (F(x),b) denotes the cardinality of {a € F 2 ; DaF{x) = b}. 

Proposition 15. Let F : F 2 e-s- F 2 and G : F§ F™ be two functions admitting 
respectively {<L>, 0) and (0, F) for generalized covering sequences. Then, (F, F) 
is a generalized covering sequence ofGoF. 

Proof. The proof is similar to that of Proposition 13. 

Now, a discriminator can be derived from a generalized covering sequence of a 
round function A in a similar way as for covering sequences. Clearly, this new 
discriminator does not necessarily imply a second one involving higher-order 
structures. Such a discriminator will be efficient if the number of functions tpx 
which are different and the cardinality of the set Usjgfj Supp ipx are small. 
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Abstract. Let / £ F,j[a;] where F, is a finite field of characteristic p. 
Wan et al discovered a lower bound for the value set of / in terms of 
an invariant Uq{f) associated to the polynomial /. We define a notion 
of Wq-sharp subsets of F, and discuss related problems. We show how 
the notion of Wg-sharp sets may be used to give yet another proof of the 
classical Cauchy- Davenport theorem. 



1 Introduction 

In the Fq7 conference the author discussed a new proof of the Cauchy-Davenport 
theorem using ideas related to value sets of polynomials over finite fields, see 
[2]. The following problem (which is not discussed in [2]) arose during these 
investigations. 

Let Fg be the finite field oi q = p'~ elements, where p is a prime and r is a 
positive integer. The prime field of characteristic p is denoted by Fp. 

Definition 1. Let ,Xn) & Fg[xi,--- ,x„]. The value set V{f) of f is 

defined by V (/) = {/(«!, • • • , a„) : (oi, • • • , a„) € F^ }. In other words V (/) is 
the range of f. We also define Uq{f) to he the smallest positive integer i sueh 
that ••• a„)eF " Y 0. If such an i does not exist then set 

Uqif) = oo. 

Note that in the above definition Uq{f) = oo if any of the variables Xi do not 
appear in the expression for /. To avoid confusion we may assume that all the 
variables Xi appear in the expression for /. 

In [5] Wan et al. found a lower bound for the cardinality of the value set 
of a single variable polynomial f{x) in terms of Uq{f). In [2] their theorem was 
generalised to the multivariable case as follows. Note that in [5] and [2] the 
authors use the notation Up instead of Uq for this invariant. 

Theorem 1. Let f G Fq[xi,X 2 , ■ ■ ■ ,Xn] and let V{f) be the value set of f. Let 
Uqif) be defined as in 1. If Uq{f) < oo then 

\Vif)\>Uqif) + l. 

The results above are not enough to give a direct proof of the classical 
Cauchy-Davenport theorem whose statement follows after the following defi- 
nition. 
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Definition 2. Let A and B he nonempty subsets of a field F. The sumset A + B 
is defined by 



A + B = {a + b:a&A and b G B}. (1) 

The following is the classical Cauchy-Davenport theorem which has numerous 
applications in additive number theory (see [4] for example). 

Theorem 2. Let A, B be nonempty subsets ofFp. Then 

\A + B\> min{p, |T| + \B\ - 1}. 

In [2] we prove a more general version of the above theorem in the case of 
arbitrary fields, see also [1]. Here we introduce the notion of t6g-sharp sets. This 
gives yet another proof of the classical Cauchy-Davenport theorem. 

2 ttq-sharp sets 

Definition 3. Let f G Fg[x]. We define f to he Uq-sharp ifV{f) = Uq{f) + 1. 

If A is a nonempty subset ofFq we define A to he a Uq-sharp subset ofFq if 
there exists a polynomial f G Fg[a;] such that f is Uq-sharp and V{f) = A. 

It follows from the Hermite Dickson criterion (see [3, page 349]) that if / is 
a permutation polynomial then Uq{f) = q — 1. Hence permutation polynomials 
are Uq sharp. 

Since Uq{x^) = V{x^) = + 1) hence monomials are Uq- 

sharp. 

In [5] value sets of polynomials of the form ga{x) = x'^{x^~3~ -|-a) where d\q— 1 
and {r,q— 1) = 1, are discussed at length. Thus it is well understood when such 
polynomials are M^-sharp. 

It appears that Wg-sharp sets have not been investigated earlier. We can state 
the following. 

Proposition 1. 

1) Fq is Uq-sharp. 

2) If A C Fg and |H| = 2 then A is Uq-sharp. 

3) If A C Fg, g yf 3 and \A\ = q — 1 then A is not Uq-sharp. 

Proof. Statement 1) is obvious since permutation polynomials are M^-sharp. 
The proofs of 2) and 3) follow easily from Proposition 2 below. □ 

Definition 4. Let A = {ai,--- ,ax} C Fg with |H| = K. Let f G Fg[x] such 
that V{f) = A. For I < i < K , we let mi = \f~^{ai)\ = |{a G F^ : /(a) = 0 ^}]. 
We call M{f) = {mi : i = 1, • • • , K{ the set of multiplicities of f . 

Note that different sets of multiplicities give rise to different polynomials with 
the same value set A. Now let H be a Ug-sharp subset of F, with |H| = K, and 
let / G Fg[x] such that V{f) = A and \A\ = Uq{f) 1. Let {mi,-- - ,m/f} be 
the set of multiplicities of /. The following proposition follows directly from the 
definition of Uq{f) and the discussion above. 
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Proposition 2. Let ^ C F, with \A\ = K > 1. Then A is a Uq-sharp subset of 
Fg if and only if there exists positive integers mi , • • • , mx with = q such 

that mi satisfies the following system of linear equations in Fg. 



mi + 7712 + • • • + mx = 0 (2) 

oimi + 02m2 + h axmx = 0 

a^ ^mi + a^ ^m2 + • • • + a^ ^mx = /?) 



where P ^ 0. 



Discussion. Note that the matrix of coefficients in the above system is the 
Vandermonde matrix whose ij-th entry is (aj~^) for 1 < i, j < K. The determi- 
nant of the Vandermonde matrix is Y[i>ji^i ~ which is nonzero since the Ui 
are distinct. Hence the system has a unique solution in Fq. If this solution lies 
in the prime field Fp, then we can find positive integers representing the residue 
classes and determine if the condition '^mi = q holds in the ring of integers Z. 

We have seen in Proposition 1 that subsets of cardinality q — 1 are not Uq- 
sharp. We now give a nontrivial example of subsets of a prime field that are not 
Mg-sharp. 

Example. Let p> 5. We use least positive integers to represent the residue 
classes in Fp. Let c be any positive integer such that 2 < c < Consider 
A = {l,c,p — c,p — 1} C Fp. Then one can check that (mi, m 2 , m 3 , m 4 ) = 
{c,p — l,l,p — c) gives the unique solution of the following system of equations 
in Fp. (Uniqueness follows from the discussion above). 



mi -I- m 2 + m 3 -I- mi = 0 
mi -I- cm 2 + (p — c)m3 + {p — l)m 4 = 0 
mi -I- c^m2 + {p — cf'm^ + {p ~ l)^m4 = 0 
mi -I- c^m2 + {p — cj^ms + (p — l)^m4 = P, 

where P = 2c(l — c^) yf 0 (mod p). Note that ^ m* = 2p in the ring of integers 
Z. It is easy to check that ^ m^ = 2p in the ring of integers, for all nonzero p. 
Hence from Proposition 2, A is not a Up-sharp subset of Fp. 

One can however show the following for prime fields Fp. 



Theorem 3. Let H C Fp such that |H| > 1 and let q = p^ > p. Then A is a Uq- 
sharp subset ofFq. 
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Proof: We prove it Let A = {oi, • • • , gk}- Let (mi, • • • , ruk) be the unique 
solution of the following system of equations in Fp. 

mi + m 2 + • • • + rriK = 0 
Oimi + tt2m2 + • • • + gkitik = 0 

Vfl\ -\- ^2 m 2 “t“ * ' * “t“ mx — 1- 



First observe that all the mi have to be nonzero. Otherwise, without loss of 
generality assume that mi = 0. Then the first K — 1 equations form a system 
of homogeneous equations in the remaining K — 1 variables m 2 , • • • , rriK ■ The 
coefficient matrix of this system is a Vandermonde matrix with determinant 
Yl 2 <i<j<K(^j — Gi). The determinant is nonzero since the Gi are distinct. But 
then the homogeneous system must have only the zero solution. This contradicts 
the last equation. 

We use least positive integer representatives for the rrii. If ^ nii = rp < q in 
the ring of integers Z, where r is a positive integer such that p < rp < K{p— 1), 
we replace the positive integer representing the residue class mi by the positive 
integer q — rp + mi. Then m^ = g, and the proof is complete by Proposition 
2 . □ 

Theorem 3 can be used to give a new proof of the classical Cauchy-Davenport 
theorem (Theorem 2) which is true for prime fields. For another proof, see [4] 
for example. As noted earlier the methods in [2] gives a more general version of 
the theorem. 

Proof of Theorem 2: We can assume that |A| > 1 and \B\ > 1. Also note 
that if A and B are subsets of Fp such that |A| + |B| > p then A p|(a — B) yf ^ for 
each a G Fp. Hence |A+i?| = pin this case. So we may assume that |A| + |H| < p. 
Let q = p^. By Theorem 3, we can find f,g & Fg[a:] such that V{f) = A and 
V{g) = B with |A| = Uq{f) + 1 and \B\ = Uq{g) + 1. Consider the polynomial 
h{x,y) = f{x) + g{y) G F,[x,i/]. Note that V{h) = A + B. Using the binomial 
theorem we get 



{x,v)£Fl i+j=N xeFg yeFg 



From the definition of the invariant Uq it follows that X)a;6F (/(^))* = ^ for 

1 < Uqif) and EyeF, (ff(y))'^ = 0 j < Uq{g). Since Uq{f)+Uq{g) = |A| + |H|- 

2 < p-2, hence + 0 (mod p). It follows that Uq{h) = Uq{f)+Uq{g). 

From Theorem 1 we have |A + H| = V{h) > Uq{h) + 1 = Uq{f) + Uq{g) + 1 = 
\A\ + \B\ — 1. This proves the theorem. □ 
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We conclude with the following problem. 

Problem: Study the structure of Ug-sharp subsets of prime and prime power 
fields. Find suitable conditions for a set to be a Mg-sharp subset of a finite field. 
Find new families of polynomials which are ttg-sharp. Find suitable conditions 
for a polynomial to be Wg-sharp. 

Acknowledgments: I thank Gary Mullen and the referee for several helpful 
comments and suggestions. 
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Abstract. In this paper we study permutations of finite fields F, that 
decompose as products of cycles of the same length, and are obtained us- 
ing monomials a;* € Fq [*] . We give the necessary and sufficient conditions 
on the exponent i to obtain such permutations. We also present formulas 
for counting the number of this type of permutations. An application to 
the construction of encoders for turbo codes is also discussed. 



1 Introduction 

Consider F^, the finite field with q elements. It is well known that the function 
7T : Fq — > Fq defined by 7t(x) = x* produces a permutation of the elements 
in Fq if and only if gcd{i,q — 1) = 1. Polynomials that produce permutations 
are called permutation polynomials. We are interested in permutations of F^ 
that decompose in cycles of the same length and are obtained using monomials 
a;* . When 0, 1 and -1 are the only elements fixed by the permutation, these 
monomials have been characterized in [6]. Here, we characterize the monomials 
that produce permutations of F^ that decompose in cycles of the same length 
and have any set of fixed elements. We also present formulas for counting the 
number of such monomials. 

Applications of this type of permutations to the construction of encoders 
for turbo codes are being studied by the authors. Data obtained by Corrada- 
Bravo [2] suggests that the relation between the length of the cycles in the cyclic 
decomposition of the permutation and the length of the cycle of the convolutional 
code in the turbo code affects the performance of the code. In Section 4 we discuss 
the application of monomial permutations with cycles of the same length to turbo 
codes. 

We first review some notation and present some results that will be used in 
the rest of the paper. 

* This work was supported in part by the ADVANCE Institutional Transformation 
Program, NSF Grant SBE-0123654, and by the PR Space Grant IDEAS-ER Pro- 
gram, Grant NAGP5-40091. 
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2 Preliminaries from Number Theory 

Some of the following concepts and results are well known and can be found in 
almost any text in number theory. The other results are very easy to prove. 

From now on p is a prime number, g is a power of a prime and n, k, l,j, h 
are positive integers. The Euler function, 4>{n), denotes the number of positive 
integers not exceeding n that are relatively prime to n. 

One of the most used concepts in this paper is the order of an element. 
The order of an integer i modulo n is the smallest positive integer j such that 
V = 1 {mod n) and it will be denoted by j = ordn{i)- 

Lemma 1. If i = b (mod p*), then (mod p*^^) for all / > 1. 

Lemma 2. Let j = ordpi (i) . Then j = ordpi+i (i) or jp = ordpi+i (i) . 

Proposition 1. j = ordpk(i) and j\(p — 1) if and only if j = ordpi (i) for all 
l<l<k. 

Lemma 3. Let p = ordpk(i) for some k > 2. Then either 2 = p = ordpi(i) 

for 2 < I < k or i = 1 (mod p*) for 1 < I < k. 

Lemma 4. Let j = ords(i), j = ordi(i) and gcd(s, 1) = 1. Then j = ordsi(i). 

Lemma 5. Let j = ords(i), i= I (mod 1) and gcd(s,l) = 1. Then j = ordsi(i). 

On Section 3.1 we will give formulas to count the number of permutation 
monomials x* G Fg[x] that decompose in cycles of the same length j. The next 
results will be helpful. 

Proposition 2. Let p be an odd prime and suppose that j\4>(p^). Then, there 
are 4>(j) incongruent elements of order j modulo p"^. 

Proposition 3. The incongruent solutions of = 1 (mod 2^^ are: 

( ±1, ±(1 + 2'=-!) if k> 2, 

< ±1 if k = 2 

[ 1 if k = I . 

3 Cycles of the Same Length 

The cycle structure of permutation monomials x* G F<j[a;] was studied by Ah- 
mad in [1]. The cycle structure for more general polynomials, specifically Dickson 
polynomials, was studied by Lidl and Mullen in [4]. Here, we present the nec- 
essary and sufficient conditions on the exponent i to obtain permutations of F^ 
that decompose in cycles of the same length. We will use the following result 
proven in [1]. 
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Theorem 1. The permutation of Fg given by cc* has a cycle of length j if and 
only if j = ordt{i), where t\{q — 1). The number Nj of such cycles is 

jNj = gcd (g - 1, - l) - ^ sN^ . 

We say that a permutation has cycles of the same length j if the permuta- 
tion decomposes in cycles of length j or 1 . The next theorem characterizes the 
permutation monomials with this property. 

Theorem 2. Let q — I = Pq°Pi^ • • ■p^'' ■ The permutation of Fq given by x* 
has cycles of the same length j if and only if one of the following holds for each 
l = 0,--- ,r: 

1. i=l {mod p^'-^ 

2. j = ord ki (z) and j\{pi~l) 

Pi 

3. j = ord ki (z), ki>2 and j = pi ■ 

Pi 

Proof. {<=) If z = 1 {mod for all / = 0, 1, • • • , r, then x* is the identity 
permutation. Suppose that 1 < j = ordp^k,{i) for some of the I’s and z = 
1 {mod pf‘'^ for the other. Proposition 1 and Lemma 3 guaranty that j = 
ordpk{i) or z = 1 {mod p^) for alH = 0, 1, • • • , r and 1 < k < ki. Now, if 
t\{q — 1), then by Lemmas 4 and 5, we have that, j = ordt{i) or z = 1 {mod t). 
Hence, by Theorem 1, all the cycles have length j or 1. 

(=1>) Suppose that all the cycles have the same length j. Then, by Theorem 
1, j = ordt{i) or z = 1 {mod t) for all t that divides g— 1. This holds in particular 
for t = p{\ I = 0,1, - ■ ■ ,r. We only have to prove that, if j = ord^k^ (z) then 

j\ {pi - 1) or j =pi, ki > 2. 

Suppose that 1 yf j = ord ki (z). If fc; = 1 then j\ {pi — I) and we are done. 

Pi 

If fc; > 2 and j )({pi — I), then Proposition I implies that j yf ordpk{i) for some 
k < k[. Let s be the largest one such that j yf ordp^{i). Then z = 1 {mod pf) 
because otherwise, by Theorem 1, there would be a cycle of length different from 
j. By Lemma 1, i^‘ = 1 {mod But j = ordpe+i{i) implies that j\pi and 

hence j = pi- □ 

The next results consider the special cases where 0, 1 or 0, 1, —1 are the only 
elements fixed by the permutation. These results were first presented on [6] but 
the proofs there did not use Theorem 1. 

It is clear that 0 and 1 are always fixed by the permutation x*. Fixed elements 
are the same as cycles of length 1, so, by Theorem 1, an element is fixed if and 
only if z = 1 {mod t), where t\{q— 1). Note that —1 is a fixed element if and only 
if z = 1 {mod 2). Hence, 0, 1, —1 are the only elements fixed by the permutation 
if and only if z ^ 1 {mod t) for any t yf 2 such that t\{q — 1). 

We first consider g being such that 4 does not divide g — 1. 
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Theorem 3. Let q — 1 = Pq°p\^ ■ ■ •Pr''j Po = 2, ko = 0, 1. The permutation of 
Fg given by x* decomposes in cycles with the same length j and 0, 1, —1 or 0, 1 
are the only fixed elements if and only if j = ord ki (i) and j\ {pi — 1) for pi 2. 

Pi 

Proof. (=i>) Suppose that all the cycles have length j and 0, 1, —1 or 0, 1 are the 
only fixed elements. Then j = ordpk(i) for pi ^ 2, k <ki and, by Proposition 1, 
j\ iPi - !)• 

(■t=) Suppose that j = ord ki (z) and j \ {pi — 1) for pi yf 2. Then, Theorem 

Pi 

2 implies that all the cycles have the same length j. Also, Proposition 1 implies 
that j = ordph{i), h < ki, pi ^ 2. Hence z ^ 1 {mod t) for any t\{q— l),t yf 2 
and the only possible fixed elements are 0, 1, —1. □ 

In the case where 4 divides q — 1 there are only two monomials that give 
permutations that decompose in cycles of the same length and have 0, 1, —1 as 
the only fixed elements. Also, the length of the cycles on such permutations is 
always 2. 

Theorem 4. Let q—l= p^°p\^ ■ ■ •Pr'' , where po = 2, kg > 2. The permutation 
of Fg given by decomposes in cycles of the same length j and 0, 1,— 1 are 
the only fixed elements if and only if j = ord ic, (z) for pi yf 2, j = ord 2 h{i) for 

Pi 

2 < h < ko, and j = 2. 

Proof. By the arguments given before Theorem 3, 0,1,— 1 are the only fixed 
elements if and only if z ^ 1 {mod pf) for p/ yf 2, h < ki, and for po = 2, 2 < 
h < ko. Since j\ (po — 1) would imply that j = 1, the result now follows applying 
Theorem 2. □ 

Corollary 1. Let q— 1 = Po°Pi^ • • ■Pr'' , where po = 2, ko> 2. The permutation 
of Fg given by x* decomposes in cycles of the same length j and 0, 1, —1 are the 
only fixed elements if and only if j = 2 and i = q — 2 or i = . 

Proof. By Proposition 3, for ko > 2, 2 = ord 2 ko{i) if and only if z = — 1 or 
i = ± (l + 2^°“^) {mod 2^“). But 2 = ord 4 {i) if and only if z = — 1 or z = 
_l_2fco-i {mod 2'^°). 

Then, by the previous theorem and Proposition 3, we have cycles of the 
same length j and 0, 1, —1 are the only fixed elements if and only if z = — 1 or 

z = —1 — 2*°“^ {mod 2^“), and z = — 1 (^mod pj^'^ . Hence, there are only two 

z’s such that the permutation x* decomposes in cycles of the same length j = 2 
and have 0, 1,— 1 as the only fixed elements. Noting that + 1 + 2*°“^ = 

— i L = 2'^°s, for some s G Z, we get that z = — 1 {mod q — 1) and 

i = {mod q — T) are the only solutions. □ 

Corollary 2. Let q — 1 = 4p*^ •••pji’'. The permutation of Fg given by x* 
decomposes in cycles of the same length j and 0, 1, —1 are the only fixed elements 
if and only if j = 2 and i = q — 2. 
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Proof. By arguments similar to those given in the previous proof, the only i 
such that X* gives a permutation with cycles of the same length j = 2 and have 
0, 1, —1 as the only fixed elements is z = — 1 {mod q — 1). □ 



3.1 Counting the Number of Permutation Monomials that 
Decompose in Cycles of the Same Length 

In this section we give formulas for counting the number of permutation mono- 
mials that decompose in cycles of the same length j. To do this, we define a 
bijection between the set of all the i such that x* decompose in cycles of the 
same length j and another set. Let q — 1 = ■ ■ ■p^'' , and define 



Uj = {i |cc* is a permutation of that decomposes in cycles of length j} . 



and 



Wj = |('u;o, Wi, • • • , Wr) I Wn G Z^k „ , j = ord^k„ {w„) for j\ (p„ - 1) , 
or j = ord^kn {wn) for > 2 and j = Pn, or = 1 {mod | . 



Lemma 6. Let q — \ = p^°p\^ ■ ■ •Pr'' arid Uj and Wj be defined as above. Let 
fj • defined by fj{i) = (wo,wi, ■ ■ ■ ,Wr), where i = Wn {mod p^") 

for 0 < n < r. Then fj is a bijection. 

Proof. Note that by Theorem 2, if x* decomposes in cycles of length j if and 
only if for each 0 < n < r, we have that j = ord^k„ (i) for j\ {pn — 1) , or j = 
ord^kn (i) for > 2 and j = p«, or z = 1 {mod p^"). Since z = Wn {mod p^") 
for 0 < zz < r we have that fj {Uj) C Wj. 

To see that fj is onto, let {wq, wi, - ■ ■ , Wr) G Wj. We need to find z such that 
a;* decomposes in cycles of length j and z = Wn {mod p'j") for 0 < rz < r. By the 
definition of Wj and Theorem 2, we just have to find a solution to the system 

mod Pq° 
mod pj^ 

{i = Wr {mod Pr’') 

The Chinese Remainder Theorem guaranties that there is a unique solution 
modulo q — 1 = Pq°Pi^ • • •Pr''- □ 
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Theorem 5. Let q — 1 = Pq°Pi^ • • •p^'' ■ Then, the number of permutations x* 
of Fq with eycles of the same length j ^ 1 is 



where, for Pn odd. 






and, for = 2, 



( 1 ) 

n—O 



l + if j\{Pn-l) 

1 + (/)(j) if j = Pn and kn>2 (2) 

1 otherwise. 



/(j,2'=) 



4 if j = 2, k> 3 

2 tf j = 2, k = 2 

1 if j = 2, k = I, or j >2 . 



(3) 



Proof. From the previous lemma we have that counting the x* with cycles of 
length j is the same as counting the elements in Wj. For each 0 < n < r, we 
have to count the number / [j,Pn") of elements in of order 1, or of order 
j if j\ (Pn ~ 1) or J = Pn- Formula 1 give us the number of all possible x* with 
cycles of length j; we subtract 1 for the case where i = 1 {mod g — 1), that is 
when all the elements are fixed. 

By Proposition 2, there are (f{j) elements of order j and one element con- 
gruent to 1 in Zpfc„ for each odd. This give us (2). For the case = 2 and 
j > 2, by Theorem 2, one must have that i = 1 (mod 2^) and hence / (j, 2*) = 1 
for j > 2. The other cases on (3) follow from Proposition 3. □ 

Now consider the case where the permutation x* has cycles of length j and 
0, 1, —1 are the only elements fixed by the permutation. This case is of particular 
interest for the application to turbo codes as we will explain in the next section. 

Corollary 2 says that, when q — I = • • ■p^'', the only permutation x* G 

Fg[x] that decomposes in cycles of the same length and has 0, 1, —1 as the only 
fixed elements is x^“^. For the case when q — 1 = 2^p^^ ■ ■ ■ k > 2, Corollary 
1 give us two permutation monomials with this property: x'^~^ and x^^. The 
following proposition give us the number of monomials with this property for 
the other cases. 



Proposition 4. Let q — I = PqPi^ ■ ■ ■Pr’'i k = 0, 1. The number of monomials 
X* G Fg[x] with cycles of length j and have 0,1 or 0,1,— 1 as the only fixed 
elements is 4>{jY if j\ (pn — 1) for all 1 <n < r, and 0 otherwise. 

Proof. By Theorem 3, x* has cycles of length j and 0, 1 or 0, 1, —1 are the only 
fixed elements only if j\ (pn — 1) for all 1 < n < r. Suppose that j\ (pn — 1) for 
all 1 < n < r. As in in Lemma 6, we can construct a bijection between the set 
of monomials x* that decompose in cycles of length j and have 0, 1 or 0, 1, — 1 
as the only fixed elements and the set 
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^^2, ■■■ ,Wr) I Wn G , j = Ord^kn (wn)| ■ 

Again, counting the number of such monomials is the same as counting the 
number of elements in Wj. Hence, by Proposition 2, there are 4>{jY monomials 
x* G F,[a;] that have cycles of length j and have 0, 1 or 0, 1, —1 as the only fixed 
elements. □ 



4 Application to Turbo Codes 

Error control codes are used in digital communication systems to protect in- 
formation from errors that might occur during transmission. Turbo codes are 
specially suitable for satellite communication systems since they provide error 
control performance with a good reduction in the transmitter power levels. 

One of the main components of a turbo encoder is the interleaver, which per- 
mutes the information symbols. The current practice to construct interleavers 
is to choose them randomly. The fact that these interleavers are found by com- 
puter search implies that they have to be stored in memory. Although good 
performance can be obtained with this type of construction, it is bad for imple- 
mentation as well as for performance analysis. To avoid this problem, researchers 
have considered deterministic constructions that can be generated on the fly and 
that perform as well as random interleavers. 

Most of the known methods for constructing interleavers algebraically do not 
produce interleavers that perform well. Some of the properties associated to the 
interleaver that are important to obtain “good” turbo encoders are the spreading 
and the dispersion factors. An article by Takeshita and Costello [7] as well as 
data obtained by Corrada-Bravo [2] suggested that another important property 
of an interleaver is the length of the cycles in the cyclic decomposition of the 
permutation in relation to the length of the cycle of the convolutional code in 
the turbo code. 

We are constructing interleavers using permutation monomials that give per- 
mutations with a fixed length of cycles and studying the spreading and dispersion 
properties as well as the performance of the codes. In particular, we are studying 
permutations that only fix 0, 1, —1 because, usually, permutations with few fixed 
elements have good dispersion. Also, it is very simple to construct monomials 
X* G Fg [x] that give permutations that decompose in cycles of the same length j 
and only fix 0, 1, —1: if 4\{q — 1) and j = 2, and are the only choices; 
for <7 — 1 = Pqp\^ ■ ■ -pY ^ A: = 0, 1 and j \ (p„ — 1) for all 1 < n < r, we only have 
to find i such that 

' i= 1 {mod 2) 
i = W\ {mod pY^ 

i = Wr (mod pY) ■ 
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The proof of the Chinese Remainder Theorem gives an easy way to construct 
these i’s. 

Our simulations show that although our interleavers do not have better dis- 
persion or spreading than random interleavers, interleavers with certain length 
of the cycles perform as well or better than them. More details on this can be 
found on [3] 

Graphs with large girth have been used for the construction of regular and 
irregular low density parity check (LDPC) codes and recently, in [8] the author 
derived interleavers for turbo codes from graphs which have large girth. The girth 
(the length of the shortest cycle) of the turbo code graph, captures the relation 
between the cycle length of interleavers and the cycle length of the convolutional 
codes. We are carrying further studies on this relation in an attempt to answer 
the question as to which other parameters are necessary to established how 
an interleaver is going to perform. With this approach, we hope to be able to 
predict the performance of a turbo code with a particular interleaver, based 
on the cycle length of the convolutional code and the cycle structure of the 
interleaver. This would remove of the analysis (up to a degree) the painstaking 
and time consuming task of simulation. 
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